Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to get a count of IPs from one lookup table that match each subnet in CIDR format in another lookup?

jizzmaster
Path Finder
‎04-08-2015 01:53 PM

I want to perform a CIDR match on a list of IPs and a list of subnets.

In a lookup table I have a list of subnets in CIDR format. In another list I have a few hundred IPs. My goal is to get a count of IPs from the IP list that match each subnet from the subnet list. Is this possible?

I've found the cidrmatch function in the eval and where commands, but I have not been able to take the subnet variable in cidrmatch and make it look at a lookup table to match. Maybe I'm going about this the wrong way though. Any assistance is appreciated.

Example Lookup Table

Subnet
10.20.0.0/16
10.21.0.0/16

Example Lookup Table

IP
10.20.5.3
10.20.3.4
10.21.75.1
10.21.34.5
10.21.122.11

Desired Output

Subnet               Count
10.20.0.0/16          2
10.21.0.0/16          3
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-08-2015 02:34 PM

you want to use inputlookup command to get the first lookup as the search result rows, and then pipe that to a lookup command to do a cidr match based on the second lookup's rows.

I don't think there's a way to do a CIDR match lookup completely inline, ie with just a standard file-based lookup and with the search language.

But if you put this in local/transforms.conf

[firstLookupName]
filename = yourFileNameHere.csv
match_type = CIDR(Subnet)

[secondLookupName]
filename = yourOtherFileNameHere.csv

And if you tack on some other field in the first lookup (single field lookups may be existentially uncomfortable, ie splunk may fail to load them if they only have one field). Let's say that field is "is_sketchy" and the values are all "1".

Then you should be able to do:

| inputlookup secondLookupName | lookup firstLookupName Subnet as IP OUTPUT Subnet | stats count by Subnet

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-08-2015 02:34 PM

you want to use inputlookup command to get the first lookup as the search result rows, and then pipe that to a lookup command to do a cidr match based on the second lookup's rows.

I don't think there's a way to do a CIDR match lookup completely inline, ie with just a standard file-based lookup and with the search language.

But if you put this in local/transforms.conf

[firstLookupName]
filename = yourFileNameHere.csv
match_type = CIDR(Subnet)

[secondLookupName]
filename = yourOtherFileNameHere.csv

And if you tack on some other field in the first lookup (single field lookups may be existentially uncomfortable, ie splunk may fail to load them if they only have one field). Let's say that field is "is_sketchy" and the values are all "1".

Then you should be able to do:

| inputlookup secondLookupName | lookup firstLookupName Subnet as IP OUTPUT Subnet | stats count by Subnet
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎04-08-2015 02:43 PM

Sorry I had to update the answer about 10 minutes after I posted it, cause of a couple mistakes I found later.

0 Karma
Reply
Solved! Jump to solution

jizzmaster
Path Finder
‎04-09-2015 01:34 PM

Yea, in a way I was hoping for an inline CIDR match. But the regular lookup works once I put a stanza in the transforms.conf. 'Tis a shame that the inline ability is seemingly not possible.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...