In trying to learn how to exclude a subnet from a search using CIDR notation, I was directed to this link:
http://answers.splunk.com/answers/130030/how-does-one-search-for-a-cidr-range-of-addresses
which says:
You can't do CIDR defined search on freetext. You can however do it if you have the IP addresses you want to match against in extracted fields. In other words,
10.0.0.0/24
won't work, but
src_ip=10.0.0.0/24
will.
I have a search like this:
"%ASA-4-733100" OR "%ASA-4-733104" OR "%ASA-4-733105" NOT "[ Scanning]" NOT "[ DNS 53]" NOT "[ Port-8191-65535]" NOT "[ NetBIOS-Name 137]"
and I want to exclude the subnet 192.168.0.0/16 (within the fields "_raw" and "host") from the results. How do I do this? What is the correct syntax for the entire search?
The CSV file:
src_ip 127.0.0.1 192.168.200.0/24
Order matters AFAIK.
Transforms.conf:
[excluded_ips]
filename = excluded_ips.csv
match_type = CIDR(src_ip)
Your search:
"%ASA-4-733100" OR "%ASA-4-733104" OR "%ASA-4-733105" NOT "[ Scanning]" NOT "[ DNS 53]" NOT "[ Port-8191-65535]" NOT "[ NetBIOS-Name 137]" NOT [inputlookup excluded_ips | fields src_ip]
Another example can be found here: http://answers.splunk.com/answers/93779/match_type-cidr-doesnt-seem-to-work
Hi! Take a look at the cisco_ios app for an example on how to do this. The view in question is called security_acl. It does a lookup on the cisco_ios_excluded_ips.csv file. Check transforms.conf in the app for the stanza referencing the lookup file. There's also lots of extractions for src_ip in there as well that you can have a look at.
In order to make this work, where should the file "excluded_ips.csv" be placed and where should the file "transforms.conf" be placed?
Note that doing cidr matching on _raw won't work AFAIK. I believe you need a field to look at for CIDR matching
security_acl.xml : https://github.com/inspired/cisco_ios/blob/master/default/data/ui/views/security_acl.xml
Transforms.conf :
https://github.com/inspired/TA-cisco_ios/blob/master/default/transforms.conf
Have a look at my other answer which should be a working solution
Thanks, that seems helpful. Would someone tell me where to find the security_acl view and transforms.conf?
Here's the link to the app's page 🙂
http://apps.splunk.com/app/1352/