Splunk Search

Is there a way for a query to take a value from lookup table and if it has a match it record down the value and continue the next search?

bilchen
New Member

Hi,
Is there a way for a query to take a value from lookup table and if it has a match it record down the value and continue the next search?
for example I have a group of CIDR in a lookup csv, I want search IPs in log if there is one IP in the specified CIDR range then record down the CIDR then continue search if there is a IP falls in the next CIDR, if not pass to the next CIRD. At the end of search I should have all CIDR that have IPs in the log.

index=network status=404 [|inputlookup CIDR.csv|rename CIDR as src_ip|table src_ip]

the above query will have matches but I want to know which CIDR has the match?

Thanks in advance!

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

You need to use your CIDR lookup as filter (what you've right now) to capture only the relevant record and then as lookup to enrich your data with matching CIDR. To achieve that, you first need to create a lookup definition from your lookup table file CIDR.csv which can do a CIDR match. You can follow steps from below post to setup your lookup definition. There is an optional step provided in this post for automatic lookup but you can exclude that (just use the transforms.conf changes).

https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html

Once you've the lookup definition, say CIDR setup, use search like this. which will give list of CIDR which have IP's in the log and corresponding count of distinct IPs that are match.

index=network status=404 [|inputlookup CIDR|rename CIDR as src_ip|table src_ip]
| lookup CIDR CIDR as src_ip OUTPUT CIDR  | stats dc(src_ip) as src_ip_count by CIDR
0 Karma

lguinn2
Legend

If you want to do a lookup, I wouldn't use the inputlookup command.
Assume that the source data has a field named "ip" that contains the IP address, and that the CIDR.csv contains a single field named CIDR. Also, assume that there is a lookup named "cidr_lookup" - this lookup should allow multiple lookup results (which) is the default. Of course, it should be set for CIDR-matching. Now your search can be

index=network status=404 
| lookup cidr_lookup ip as CIDR output CIDR
| stats list(CIDR) as "CIDR list" by ip
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

If the values in CIDR.csv were "001.001.001.001.001" and "002.002.002.002", then your code...

 index=network status=404 [|inputlookup CIDR.csv|rename CIDR as src_ip|table src_ip]

...is translated by splunk's implicit format command to a search that looks like this...

 index=network status=404 ( (src_ip="001.001.001.001.001" ) OR ( src_ip="002.002.002.002") )

... and so the answer is, for that query, the matched value is found in the src_ip field.


You can read more about the format command here - https://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Format.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...