Splunk Search

Use a lookup file to tag IP blocks

arseniof
New Member

So what I want to do is tag all IPs that belong to certain AWS regions and filter out those IPs. I want to try and tag them the most efficient way. I thought maybe a lookup file with all of their IP blocks. Are lookup files capable of doing this? I know that you can just use
ip="52.95.245.0/24" and that would filter out all IPs in that block but they have a ton of regions which would be a really large query (almost 2000 blocks!). Any direction would be helpful. 🙂

0 Karma

rmmiller
Contributor

I just answered a similar question this morning about lookups using CIDR blocks:
https://answers.splunk.com/answers/777135/how-to-make-a-visualization-using-a-lookup-with-ip.html#an...

Since tagging is last in the order of operations, it should be possible as long as you have information about all of the subnets in use across AWS regions.

rmmiller

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...