Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to get a count of IPs from one lookup table that match each subnet in CIDR format in another lookup?

jizzmaster
Path Finder
‎04-08-2015 01:53 PM

I want to perform a CIDR match on a list of IPs and a list of subnets.

In a lookup table I have a list of subnets in CIDR format. In another list I have a few hundred IPs. My goal is to get a count of IPs from the IP list that match each subnet from the subnet list. Is this possible?

I've found the cidrmatch function in the eval and where commands, but I have not been able to take the subnet variable in cidrmatch and make it look at a lookup table to match. Maybe I'm going about this the wrong way though. Any assistance is appreciated.

Example Lookup Table

Subnet
10.20.0.0/16
10.21.0.0/16

Example Lookup Table

IP
10.20.5.3
10.20.3.4
10.21.75.1
10.21.34.5
10.21.122.11

Desired Output

Subnet               Count
10.20.0.0/16          2
10.21.0.0/16          3
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-08-2015 02:34 PM

you want to use inputlookup command to get the first lookup as the search result rows, and then pipe that to a lookup command to do a cidr match based on the second lookup's rows.

I don't think there's a way to do a CIDR match lookup completely inline, ie with just a standard file-based lookup and with the search language.

But if you put this in local/transforms.conf

[firstLookupName]
filename = yourFileNameHere.csv
match_type = CIDR(Subnet)

[secondLookupName]
filename = yourOtherFileNameHere.csv

And if you tack on some other field in the first lookup (single field lookups may be existentially uncomfortable, ie splunk may fail to load them if they only have one field). Let's say that field is "is_sketchy" and the values are all "1".

Then you should be able to do:

| inputlookup secondLookupName | lookup firstLookupName Subnet as IP OUTPUT Subnet | stats count by Subnet

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-08-2015 02:34 PM

you want to use inputlookup command to get the first lookup as the search result rows, and then pipe that to a lookup command to do a cidr match based on the second lookup's rows.

I don't think there's a way to do a CIDR match lookup completely inline, ie with just a standard file-based lookup and with the search language.

But if you put this in local/transforms.conf

[firstLookupName]
filename = yourFileNameHere.csv
match_type = CIDR(Subnet)

[secondLookupName]
filename = yourOtherFileNameHere.csv

And if you tack on some other field in the first lookup (single field lookups may be existentially uncomfortable, ie splunk may fail to load them if they only have one field). Let's say that field is "is_sketchy" and the values are all "1".

Then you should be able to do:

| inputlookup secondLookupName | lookup firstLookupName Subnet as IP OUTPUT Subnet | stats count by Subnet
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-08-2015 02:43 PM

Sorry I had to update the answer about 10 minutes after I posted it, cause of a couple mistakes I found later.

0 Karma
Reply
Solved! Jump to solution

jizzmaster
Path Finder
‎04-09-2015 01:34 PM

Yea, in a way I was hoping for an inline CIDR match. But the regular lookup works once I put a stanza in the transforms.conf. 'Tis a shame that the inline ability is seemingly not possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...