Splunk Search

TA-asngen lookup - does it actually work?

Contributor

Been looking for a replacement for the GeoASN app that used to exist on Splunkbase for a while, and the TA-asngen (https://splunkbase.splunk.com/app/3531/) seemed to fit the bill.

However, even though it installs fine, and the initial asngen command generates the asn.csv correctly, I'm not able to get a lookup to actually work. This is on 7.0.5 or 7.2.4.2 - same result on either.

I have log data which has a field extracted as src_ip which is an IPv4 IP. I then do:

... | lookup local=t asn ip AS src_ip

But alas, whilst I certainly see my src_ip, I don't get the other fields from the lookup enriching the output.

I've also tried renaming my src_ip to just "ip" but that doesn't cut it either.

The TA defines the match_type as CIDR(ip) which makes sense, but I can't seem to get the fields shown. I have also tried an explicit OUTPUT for some of the field names, but, that also does not work.

Clearly I'm missing something trivially obvious. Permissions are correct, the files are the correct mode, I can see the content on disk, and running the command generates no errors. It also doesn't generate the expected output!

0 Karma

Engager

We just had the same issue. For us, the installer hadn't correctly increased the lookup max_memtable_bytes setting as described in the app documentation. Make sure your limits.conf looks like:

[lookup]
max_memtable_bytes = 30000000

 The default of 10mb isn't large enough to load the whole lookup, and thus your search will often fail to find the results you expect.

Hope this works for you too!

0 Karma

Engager

Does the the following work?
| inputlookup asn

If so the following should work as well.

| inputlookup asn
| eval clientip="216.58.200.110"
| dedup clientip
| lookup asn ip AS clientip output asn autonomoussystem ip
| rename ip AS ip
range
| iplocation clientip
| table clientip iprange autonomoussystem asn City Region Country lat lon

0 Karma