I'm attempting to use a CSV list of IP subnets to scan through firewall logs for hits, but it's not working out well.
lookup CSV is as follows:
address
"192.168.15.0/24"
transforms.conf looks like this:
[lan-ranges-test]
filename = lan-ranges-test.csv
match_type = CIDR(address)
fields_list = address
Attempted searches:
So far here is my search:
1:
sourcetype="firewalls"
| search [| inputlookup lan-ranges-test.csv | fields address | rename address as addresses]
| where cidrmatch(addresses, src)
|table src
2:
sourcetype="firewalls" src=*
| lookup lan-ranges-test.csv address as src OUTPUT address as sources
| search sources=*
| table sources
These result in 0 hits. If I run the following search, however, I get hits:
sourcetype="firewalls" src="192.168.15.0/24"
Any thoughts on why I can't get the CSV to work? I have hundreds that I'd like to not have to export raw logs and go excel ninja on.
Thanks!
Figured it out, pretty simple I was just nuking it:
sourcetype="firewalls" | fields src, dest, action
| search [| inputlookup lan-ranges.csv | fields address | rename address as src]
| dedup src,dest
|table src, dest, action
Figured it out, pretty simple I was just nuking it:
sourcetype="firewalls" | fields src, dest, action
| search [| inputlookup lan-ranges.csv | fields address | rename address as src]
| dedup src,dest
|table src, dest, action
Get's even weirder:
when attempting the following:
sourcetype="firewalls" | where cidrmatch([| inputlookup lan-ranges-test.csv | fields address],src_ip) | stats values(dest_port) AS DST_Port by src_ip,transport
I get the following error:
Error in 'where' command: The arguments to the 'cidrmatch' function are invalid.