Splunk Search

match_cidr = CIDR() config not working as expected

dm1
Contributor

So I need to run search on a firewall index where I need to look for field values matching from two lookup files, one is src.csv and dst_withsubnets.csv and output corresponding fields

Test SPL from my lab

| makeresults |eval  src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop"
| join src_ip
    [| inputlookup src.csv
    | rename src AS src_ip]
| join dest_ip
    [| inputlookup dst_withsubnets.csv
    | rename dst AS dest_ip ]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

src.csv

1.1.1.1

dst_withsubnets.csv

 

dst
192.168.1.0/24

 

As you can notice, the SPL is searching for dest_ip in a lookup that only has destination subnets. To make it work, I have also added following transforms.conf

[dst_withsubnets]
filename = dst_withsubnets.csv
match_type = CIDR(dst)
max_matches = 1

 

However, its still not working

Labels (1)
Tags (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so 

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]

which will filter your search. For the CIDR one, you can use the lookup, but do this

| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)

which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.

 

View solution in original post

0 Karma

bowesmana
SplunkTrust
SplunkTrust

The way to use lookups is not the way you are doing it. Use the lookup command not join/inputlookup

| makeresults 
| eval src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop" 
| lookup src.csv src as src_ip 
| lookup dst_withsubnets dst as dest_ip 
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

As for the CIDR variant - that comes from the lookup definition dst_withsubnets - NOT the csv file, so will never work with inputlookup/join anyway.

 

0 Karma

dm1
Contributor

@bowesmana I tried your suggestion but getting below error

Error in 'lookup' command: All of the fields in the lookup table are specified as lookups, leaving no destination fields.

Below is the screenshot
splunk.PNG

0 Karma

bowesmana
SplunkTrust
SplunkTrust

So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so 

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]

which will filter your search. For the CIDR one, you can use the lookup, but do this

| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)

which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.

 

0 Karma

dm1
Contributor

@bowesmana I want not only the src lookup but the dest lookup with subnets also to act as constraint for that search.

So, should I do it this way?

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
[| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

or without the [] for dest_withsubnets

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

 Tried both methods, none worked unfortunately.

Tags (1)
0 Karma

dm1
Contributor

Thanks @bowesmana !!! Really appreciate your help!

Below SPL worked for me

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

 

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...