Re: getting ip range lookup

abi2023 · ‎08-23-2023

I uploaded csv lookup table has 2 field location and iprange.

iS THERE WAY TO GET WHAT ARE POSSIBLE IP IN EACH RANGE. SO I CAN ENTER IP address it will return the location for that range?

bowesmana · ‎08-23-2023

If your IP ranges are defined as CIDR ranges then you can make a lookup using the IP range as a CIDR lookup field and then you can give a lookup for an IP address and it will return location.

See the lookup documentation

https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Lookup

ITWhisperer · ‎08-23-2023

How is iprange defined?

abi2023 · ‎08-25-2023

|inputlookup demo.csv
| eval ip = "xx.xxx.xxx.xxx" ```Enter IP address you the Match```
| eval result=if(cidrmatch(ip_range, ip), "true", "false")
| search result="true"

i am using above spl to return result for the ip address associated with the IP range in lookup table. this work fine.

I want do same thing when index=main has field ip which contains IP address. I need to invoke cidrmatch out result assiate with same iprange. how do modifiy my SPL. SINCE lookup table and my index info has nothing in common other than Ip field i have and lookup table has ip tange info. Is there way i can use lookup cammand do this?

Thanks

bowesmana · ‎08-25-2023

Yes, you need to make a lookup DEFINITION based on the lookup file. In the advanced options for the definition add CIDR(ip_range)

In your SPL you do

index=main
| lookup definition_name ip_range as ip OUTPUT ip_range as found

then you will have the found field as your range if the IP is found or null if not found

so you can do this

| where isnotnull(found)

which will find those that match the range.

How to get ip range lookup?

lookup

other

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users