Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I use Subnets.csv file of 100 subnets, instead of adding each in IP search command?

utk123
Path Finder
‎03-03-2020 05:30 AM

I want to create a Splunk dashboard for 100 subnets in the CSV file. But not able to use this CSV file in my Splunk query.

Example:

CSV file: Subnets.csv
Simple splunk query to generate results without csv file for only 3 subnets:
index=firewall (IP="10.10.10.*" OR IP="10.10.20.*" OR IP="100.100.20.*") (Status=allow) 
| stats count(IP) by Status

How can I use Subnets.csv file of 100 subnets, instead of adding each in IP search command?

0 Karma
Reply

to4kawa
Ultra Champion
‎03-03-2020 01:34 PM

UPDATE:

index=firewall [| inputlookup Subnets.csv | fields IP | format] Status=allow | stats count(IP) by Status
0 Karma
Reply

utk123
Path Finder
‎03-03-2020 08:45 PM

This doesn't give any results. 😞

0 Karma
Reply

manjunathmeti
Champion
‎03-03-2020 08:34 AM

Assuming IP field with subnet values exist in Subnets.csv like below.

IP
10.10.10.*
10.10.20.*
00.100.20.*
......

Try this search:

 index=firewall [| inputlookup Subnets.csv | eval IP=replace(IP,"\d+/\d+", "*") | fields IP] Status=allow | stats count(IP) by Status
0 Karma
Reply

utk123
Path Finder
‎03-03-2020 08:15 PM

Actually the Subnets are like below in CIDR format.
10.10.10.0/24
10.10.20.128/28
00.100.20.0/25

so above search doesn't work. Any suggestions ?

0 Karma
Reply

manjunathmeti
Champion
‎03-03-2020 09:35 PM

Better query:

index=firewall [| inputlookup Subnets.csv | eval IP=replace(IP,"\d+/\d+", "*") | fields IP | format] Status=allow | stats count(IP) by Status
0 Karma
Reply

utk123
Path Finder
‎03-04-2020 07:06 PM

Tried both methods, but it's not giving expected results. So I have just used notepad++ feature to replace all subnets ending with "star" from column to single row. and now all 100 subnets ending with "star" are in single row.

Like:
IP="10.10.10." OR IP="10.10.20." OR IP="100.100.20.*".....

Although it's not 100% exact, but close to exact, and working.

Thanks manjunathmeti.

0 Karma
Reply

manjunathmeti
Champion
‎03-04-2020 07:54 PM

Check this query:

index=firewall [| inputlookup Subnets.csv | eval IP=replace(IP,"\d+/\d+", "*") | fields IP] Status=allow | stats count(IP) by Status

This will run as:

index=firewall (IP="10.10.10.*" OR IP="10.10.20.*" OR IP="100.100.20.* OR ....") Status=allow | stats count(IP) by Status

0 Karma
Reply

manjunathmeti
Champion
‎03-03-2020 09:21 PM

Replace last part (0/24) of IP with * and use.

index=firewall [| inputlookup Subnets.csv | eval IP="IP=".replace(IP,"\d+/\d+", "*") | fields IP | mvcombine delim=" OR " IP | nomv IP | return $IP] Status=allow | stats count(IP) by Status
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...