Splunk Search

Use a lookup file to tag IP blocks

New Member

So what I want to do is tag all IPs that belong to certain AWS regions and filter out those IPs. I want to try and tag them the most efficient way. I thought maybe a lookup file with all of their IP blocks. Are lookup files capable of doing this? I know that you can just use
ip="" and that would filter out all IPs in that block but they have a ton of regions which would be a really large query (almost 2000 blocks!). Any direction would be helpful. 🙂

0 Karma


I just answered a similar question this morning about lookups using CIDR blocks:

Since tagging is last in the order of operations, it should be possible as long as you have information about all of the subnets in use across AWS regions.


0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...