Splunk Search

What is the correct syntax for excluding a subnet from a search using CIDR notation?

jlawsonmers
New Member

In trying to learn how to exclude a subnet from a search using CIDR notation, I was directed to this link:
http://answers.splunk.com/answers/130030/how-does-one-search-for-a-cidr-range-of-addresses
which says:
You can't do CIDR defined search on freetext. You can however do it if you have the IP addresses you want to match against in extracted fields. In other words,

10.0.0.0/24

won't work, but

src_ip=10.0.0.0/24

will.

I have a search like this:
"%ASA-4-733100" OR "%ASA-4-733104" OR "%ASA-4-733105" NOT "[ Scanning]" NOT "[ DNS 53]" NOT "[ Port-8191-65535]" NOT "[ NetBIOS-Name 137]"

and I want to exclude the subnet 192.168.0.0/16 (within the fields "_raw" and "host") from the results. How do I do this? What is the correct syntax for the entire search?

Tags (4)
0 Karma

mikaelbje
Motivator

The CSV file:

src_ip
127.0.0.1
192.168.200.0/24

Order matters AFAIK.

Transforms.conf:


[excluded_ips]
filename = excluded_ips.csv
match_type = CIDR(src_ip)

Your search:


"%ASA-4-733100" OR "%ASA-4-733104" OR "%ASA-4-733105" NOT "[ Scanning]" NOT "[ DNS 53]" NOT "[ Port-8191-65535]" NOT "[ NetBIOS-Name 137]" NOT [inputlookup excluded_ips | fields src_ip]

Another example can be found here: http://answers.splunk.com/answers/93779/match_type-cidr-doesnt-seem-to-work

0 Karma

mikaelbje
Motivator

Hi! Take a look at the cisco_ios app for an example on how to do this. The view in question is called security_acl. It does a lookup on the cisco_ios_excluded_ips.csv file. Check transforms.conf in the app for the stanza referencing the lookup file. There's also lots of extractions for src_ip in there as well that you can have a look at.

0 Karma

jlawsonmers
New Member

In order to make this work, where should the file "excluded_ips.csv" be placed and where should the file "transforms.conf" be placed?

0 Karma

mikaelbje
Motivator

Note that doing cidr matching on _raw won't work AFAIK. I believe you need a field to look at for CIDR matching

0 Karma

mikaelbje
Motivator
0 Karma

jlawsonmers
New Member

Thanks, that seems helpful. Would someone tell me where to find the security_acl view and transforms.conf?

0 Karma

ppablo
Retired

Here's the link to the app's page 🙂
http://apps.splunk.com/app/1352/

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...