Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

match_cidr = CIDR() config not working as expected

dm1
Contributor
‎08-15-2021 11:30 PM

So I need to run search on a firewall index where I need to look for field values matching from two lookup files, one is src.csv and dst_withsubnets.csv and output corresponding fields

Test SPL from my lab

| makeresults |eval  src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop"
| join src_ip
    [| inputlookup src.csv
    | rename src AS src_ip]
| join dest_ip
    [| inputlookup dst_withsubnets.csv
    | rename dst AS dest_ip ]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

src.csv

1.1.1.1

dst_withsubnets.csv

 

dst
192.168.1.0/24

 

As you can notice, the SPL is searching for dest_ip in a lookup that only has destination subnets. To make it work, I have also added following transforms.conf

[dst_withsubnets]
filename = dst_withsubnets.csv
match_type = CIDR(dst)
max_matches = 1

 

However, its still not working

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2021 07:13 PM

So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so 

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]

which will filter your search. For the CIDR one, you can use the lookup, but do this

| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)

which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2021 12:10 AM

The way to use lookups is not the way you are doing it. Use the lookup command not join/inputlookup

| makeresults 
| eval src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop" 
| lookup src.csv src as src_ip 
| lookup dst_withsubnets dst as dest_ip 
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

As for the CIDR variant - that comes from the lookup definition dst_withsubnets - NOT the csv file, so will never work with inputlookup/join anyway.

 

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎08-16-2021 02:34 AM

@bowesmana I tried your suggestion but getting below error

Error in 'lookup' command: All of the fields in the lookup table are specified as lookups, leaving no destination fields.

Below is the screenshot
splunk.PNG

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2021 07:13 PM

So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so 

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]

which will filter your search. For the CIDR one, you can use the lookup, but do this

| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)

which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.

 

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎08-16-2021 08:37 PM

@bowesmana I want not only the src lookup but the dest lookup with subnets also to act as constraint for that search.

So, should I do it this way?

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
[| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

or without the [] for dest_withsubnets

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

 Tried both methods, none worked unfortunately.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎08-16-2021 10:15 PM

Thanks @bowesmana !!! Really appreciate your help!

Below SPL worked for me

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

 

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...