Re: CIDR in a lookup table - no access to transfor...

mbolostk · ‎09-22-2015

I know it's possible to put CIDR ip ranges in a lookup table. However, my question is, what if I do not have access to modify the transforms.conf file directly and match_type is now shown in the advanced area of the lookup definitions (I'm using 6.1). Is there a way to use something similar to match_type in a regular query search so I can acquire the same type of results even if it's not specified in the transforms.conf file?

troyelanders · ‎02-07-2017

Use the 'map' command. Here is an example:

Lets assume you have a lookup table called 'my_csv_list_of_cidr_ranges.csv ' which looks something like:

cidr
199.000.001.0/22
199.000.002.0/22
199.000.003.0/22

Or something like that.

The following code will take that list and compare it to a field called 'my_ip' and return a list of IP addresses that match at least one of the cidr ranges. The myfield* fields are optional and are simply there to pass other fields out of the map command. Be sure to set maxsearches to a value higher than the number of cidrs in you lookup file.

index=myindex sourcetype=mysource 
| map maxsearches=100 search="| inputlookup my_csv_list_of_cidr_ranges.csv 
| eval myfield1=\"$myfield1$\"
| eval myfield2=\"$myfield2$\"
| eval ipmatch=if(cidrmatch(cidr,my_ip),1,0)
| eventstats sum(ipmatch) as total_ipmatch by my_ip
| where total_ipmatch>0
| dedup my_ip
| table * "

CIDR in a lookup table - no access to transforms.conf?

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk