How to match IP and CIDR block in a single Lookup ...

ernst_young_chn · ‎03-09-2016

Hello Guys!

I have a lookup file with both IP Address and IP ranges

e.g.
ip, threat_key, description
10.10.1.1, spyware, ABC
10.24.0.0/24, Spyware, DEF

when i use this lookup file in my query based on src_ip it matches CIDR block and normal IP, however when i try to add the fields threat_key and description to the search result.

when i don't add a lookup setting in transforms.conf

the search results show fields threat_key and description for exact match of IP address i.e. for the 1st event threat_key and description are displayed.

When i use match_type=CIDR(ip) in transforms.conf for the lookupi am using, the threat_key and description fields for IP ranges are displayed.

I need threat_key and description to be displayed for both the scenarios.

here is my Search Query :

Firewall | search [inputlookup ip_intel | rename ip as src_ip|fields src_ip] | lookup ip_intel ip as src_ip OUTPUT threat_key, description

transforms.conf
[ip_intel]
filenae=ip_intel
match_type=CiDR(ip)

this works to get OUTPUT fields threat_key and description for CIDR match of src_ip .

however it doesn't match exact IP OUTPUT Fields

Thanks for you help

grundsch · ‎10-06-2016

You need to modify your single IP values in the lookup by appending a /32, i.e. in your case it should be 10.10.1.1/32.

How to match IP and CIDR block in a single Lookup file and match the lookup file field as OUTPUT

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms