Splunk Search

Why am I getting zero results using CIDR matching and a CSV lookup of IP subnets to scan through firewall logs for hits?

Contributor

I'm attempting to use a CSV list of IP subnets to scan through firewall logs for hits, but it's not working out well.

lookup CSV is as follows:

address
"192.168.15.0/24"

transforms.conf looks like this:

[lan-ranges-test]
filename = lan-ranges-test.csv
match_type = CIDR(address)
fields_list = address

Attempted searches:
So far here is my search:

1:

sourcetype="firewalls"
| search [| inputlookup lan-ranges-test.csv | fields address | rename address as addresses]
| where cidrmatch(addresses, src)
|table src

2:

sourcetype="firewalls" src=*
| lookup lan-ranges-test.csv address as src OUTPUT address as sources
| search sources=* 
| table sources

These result in 0 hits. If I run the following search, however, I get hits:

sourcetype="firewalls" src="192.168.15.0/24"

Any thoughts on why I can't get the CSV to work? I have hundreds that I'd like to not have to export raw logs and go excel ninja on.

Thanks!

0 Karma
1 Solution

Contributor

Figured it out, pretty simple I was just nuking it:
sourcetype="firewalls" | fields src, dest, action
| search [| inputlookup lan-ranges.csv | fields address | rename address as src]
| dedup src,dest
|table src, dest, action

View solution in original post

0 Karma

Contributor

Figured it out, pretty simple I was just nuking it:
sourcetype="firewalls" | fields src, dest, action
| search [| inputlookup lan-ranges.csv | fields address | rename address as src]
| dedup src,dest
|table src, dest, action

View solution in original post

0 Karma

Contributor

Get's even weirder:

when attempting the following:

sourcetype="firewalls" | where cidrmatch([| inputlookup lan-ranges-test.csv | fields address],src_ip) | stats values(dest_port) AS DST_Port by src_ip,transport

I get the following error:
Error in 'where' command: The arguments to the 'cidrmatch' function are invalid.

0 Karma