Splunk Search

Why am I getting zero results using CIDR matching and a CSV lookup of IP subnets to scan through firewall logs for hits?

ltrand
Contributor

I'm attempting to use a CSV list of IP subnets to scan through firewall logs for hits, but it's not working out well.

lookup CSV is as follows:

address
"192.168.15.0/24"

transforms.conf looks like this:

[lan-ranges-test]
filename = lan-ranges-test.csv
match_type = CIDR(address)
fields_list = address

Attempted searches:
So far here is my search:

1:

sourcetype="firewalls"
| search [| inputlookup lan-ranges-test.csv | fields address | rename address as addresses]
| where cidrmatch(addresses, src)
|table src

2:

sourcetype="firewalls" src=*
| lookup lan-ranges-test.csv address as src OUTPUT address as sources
| search sources=* 
| table sources

These result in 0 hits. If I run the following search, however, I get hits:

sourcetype="firewalls" src="192.168.15.0/24"

Any thoughts on why I can't get the CSV to work? I have hundreds that I'd like to not have to export raw logs and go excel ninja on.

Thanks!

0 Karma
1 Solution

ltrand
Contributor

Figured it out, pretty simple I was just nuking it:
sourcetype="firewalls" | fields src, dest, action
| search [| inputlookup lan-ranges.csv | fields address | rename address as src]
| dedup src,dest
|table src, dest, action

View solution in original post

0 Karma

ltrand
Contributor

Figured it out, pretty simple I was just nuking it:
sourcetype="firewalls" | fields src, dest, action
| search [| inputlookup lan-ranges.csv | fields address | rename address as src]
| dedup src,dest
|table src, dest, action

0 Karma

ltrand
Contributor

Get's even weirder:

when attempting the following:

sourcetype="firewalls" | where cidrmatch([| inputlookup lan-ranges-test.csv | fields address],src_ip) | stats values(dest_port) AS DST_Port by src_ip,transport

I get the following error:
Error in 'where' command: The arguments to the 'cidrmatch' function are invalid.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...