Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using CIDR in a lookup table

sajbutler
Path Finder
‎08-23-2010 12:52 AM

Fellow Splunkers

I am building a query where I want to report on location based on source IP address. For example within our internal network the subnet 10.50.6.0/24 corresponds to Sydney, whereas 10.50.7.0/24 corresponds to Melbourne. Thus far I have been able to prove my approach using the cidrmatch function as follows:

eval location=case(cidrmatch("10.50.6.0/24",src_ip),"Sydney", cidrmatch("10.50.7.0/24",src_ip),"Melbourne")

Using a case statement doesn't scale when I have hundreds subnets spread across Australia and New Zealand. I was thinking of having a lookup table of the following format:

Subnet,Location
10.50.6.0/24,Sydney
10.50.7.0/24,Melbourne

My problem is that I have not been able to find a way to perform the appropriate lookup.

I have the following questions:

  1. Can any one suggest a way to execute CIDR-based query against a lookup table?
  2. Is there an alternative/better solution to the above that will allow me to match an internal source IP to location of my choosing?

Many thanks

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-30-2012 03:44 AM

I realize that my answer may come a bit late, but you could do it through lookups. Perhaps these options were not available at the time of your posting.

Create a CSV lookup table with your subnets (in my example I've used a different type of classification for identifying potentially bad site users). We'll call this file knownips.csv and put it in /opt/splunk/etc/system/lookups.

clientip, honesty, comment
170.192.178.10/32, BAD, open_proxy
63.236.6.247/32, BAD, open_proxy
177.23.21.223/32, BAD, TOR_exit_node
27.35.0.0/16, OK, friendly_partner
27.96.0.0/16, BAD, hostile_competitor
195.69.252.0/24, BAD, suspicious_ISP

in transforms.conf

[checkip]
filename = knownips.csv
max_matches = 1
min_matches = 1
default_match = OK
match_type = CIDR(clientip)

in props.conf

[access_combined]
LOOKUP-check = checkip clientip OUTPUT honesty comment

This lets you run searches like; 

sourcetype="access_combined" honesty=BAD | stats count by clientip, comment

with results like;

clientip            comment     count
170.192.178.10  open_proxy   78
177.23.21.223   TOR_exit_node    12
189.222.1.22    TOR_exit_node    26
195.69.252.22   suspicious_ISP  138

Hope this helps,

Kristian

View solution in original post

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...