Splunk Search

Use a lookup file to tag IP blocks

arseniof
New Member

So what I want to do is tag all IPs that belong to certain AWS regions and filter out those IPs. I want to try and tag them the most efficient way. I thought maybe a lookup file with all of their IP blocks. Are lookup files capable of doing this? I know that you can just use
ip="52.95.245.0/24" and that would filter out all IPs in that block but they have a ton of regions which would be a really large query (almost 2000 blocks!). Any direction would be helpful. 🙂

0 Karma

rmmiller
Contributor

I just answered a similar question this morning about lookups using CIDR blocks:
https://answers.splunk.com/answers/777135/how-to-make-a-visualization-using-a-lookup-with-ip.html#an...

Since tagging is last in the order of operations, it should be possible as long as you have information about all of the subnets in use across AWS regions.

rmmiller

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...