Solved: Re: Why am I getting zero results using CIDR match...

ltrand · ‎08-03-2015

I'm attempting to use a CSV list of IP subnets to scan through firewall logs for hits, but it's not working out well.

lookup CSV is as follows:

address
"192.168.15.0/24"

transforms.conf looks like this:

[lan-ranges-test]
filename = lan-ranges-test.csv
match_type = CIDR(address)
fields_list = address

Attempted searches:
So far here is my search:

1:

sourcetype="firewalls"
| search [| inputlookup lan-ranges-test.csv | fields address | rename address as addresses]
| where cidrmatch(addresses, src)
|table src

2:

sourcetype="firewalls" src=*
| lookup lan-ranges-test.csv address as src OUTPUT address as sources
| search sources=* 
| table sources

These result in 0 hits. If I run the following search, however, I get hits:

sourcetype="firewalls" src="192.168.15.0/24"

Any thoughts on why I can't get the CSV to work? I have hundreds that I'd like to not have to export raw logs and go excel ninja on.

Thanks!

ltrand · ‎08-18-2015

View solution in original post

ltrand · ‎08-18-2015

ltrand · ‎08-04-2015

Get's even weirder:

when attempting the following:
sourcetype="firewalls" | where cidrmatch([| inputlookup lan-ranges-test.csv | fields address],src_ip) | stats values(dest_port) AS DST_Port by src_ip,transport

I get the following error:
Error in 'where' command: The arguments to the 'cidrmatch' function are invalid.

Why am I getting zero results using CIDR matching and a CSV lookup of IP subnets to scan through firewall logs for hits?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases