Splunk Search

Trying to us wildcards and CIDR in a lookup table but I am having no luck

ECovell
Path Finder

Ladies and Gentlemen,
I am have been trying for the better part of a week to get my lookup tables with CIDR and wildcards to work but I am having zero success.

My PROPS.CONF for both search is:
CIDR
[sourcetype]
LOOKUP_needip = CIDR neededip AS IP

wildcard_IP
[sourcetype]
LOOKUP-wildcardip = Mass_IP wildcardip OUTPUT wildcard_site

TRANSFORMS.CONF:

[CIDR]
filename = CIDR.csv
match_type = CIDR(neededip)

wildcardIP

[wildcard_IP]
filename = wildcard_IP.csv
DELIMS = " "
match_type = WILDCARD(wildcardip)

I am using a simple lookup at the beginning of the search ie:

sourcetype=foo host=bar [| inputlookup wildcard_IP.csv]

Are my props and transforms correct? I am at a loss.

Thanks for any help,
Ernie

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Check out this search result for troubleshooting:

sourcetype=foo host=bar | top wildcard_site

If that populates with sites from your lookup then your lookup works. If it does, replace your original search with this:

sourcetype=foo host=bar wildcard_site=*

The subsearch-based one you had would return a list of CIDR IPs and sites to filter for, without honouring the CIDR matching and without only looking for IPs and returning sites.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Check out this search result for troubleshooting:

sourcetype=foo host=bar | top wildcard_site

If that populates with sites from your lookup then your lookup works. If it does, replace your original search with this:

sourcetype=foo host=bar wildcard_site=*

The subsearch-based one you had would return a list of CIDR IPs and sites to filter for, without honouring the CIDR matching and without only looking for IPs and returning sites.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That suggests your automatic lookup is broken. Do post some sample events along with some sample lines from your lookup file.

What is the DELIMS setting for your lookup file supposed to do?

ECovell
Path Finder

I removed the DELIM, shortened the wildcard values for each IP and changed the PROPS.CONF to

LOOKUP_wildcardip = wildcard_IP wildcardip as dst OUTPUT wildcard_site
And I am getting results now.

Thanks for the help

0 Karma

ECovell
Path Finder

the lookup table is set up like this:

wildcardip,"wildcard_site"
123...*,"Department of Fashion"

So I am using the DELIMS for the wildcard_site side

0 Karma

ECovell
Path Finder

Unfortunatly, nothing is populating in the search.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...