Splunk Search

Match IP address in Splunk to IP range in CSV

spark2310
Explorer

index=logs ip_address=*
has single ip addresses like 5.9.100.100

CSV file:
range, owner
5.9.0.0/24 Owner1
5.10.64.0/24 Owner2

How can I correlate ip_address to CIDR in CSV file?

I guess we need to use CIDR_match and input lookup function somewhere.

0 Karma

woodcock
Esteemed Legend

Run this search:

|makeresults | eval raw="5.9.0.0/24 Owner1::5.10.64.0/24 Owner2
| makemv delim="::" raw
| mvexpand raw
| rex field=raw"^(?<range>\S+)\s+(?<owner>.*)$"
| table range owner
| outputlookup MyLookup.csv

You now have a Lookup file.

Create a Lookup definition like this:
Settings -> Lookups -> Lookup definitions -> New
Give it a name like MyLookup and select File-based for Type and MyLookup.csv for Lookup file.
Click Advanced options checkbox.
Enter CIDR(range) for Match type.
Click thegreen Save button.
You now have a Lookup definition.

Create an Automatic lookup like this:
Settings -> Lookups -> Automatic lookups -> New
Give it a name like MyLookup_ip_address_TO_owner.
Select MyLookup for Lookup table (yes, it is mislabeled).
Enter your sourcetype for Named.
Enter range on the left and ip_address on the right under Lookup input fields.
Enter owner on the left under Lookup output fields
Check (or not) the Overwrite field values box.
Click the green Save button.
You now have an Automatic lookup.

Wait 10 minutes.
PROFIT!

0 Karma

elliotproebstel
Champion

The best way to do this is to configure your lookup table to perform CIDR matching. Here is a good example of how to do that:
https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html

This will allow you to just use | lookup ip_address... like normal, but it will use CIDR matching under the hood.

0 Karma

spark2310
Explorer

so how would you rewrite my query?

0 Karma

elliotproebstel
Champion

After you've configured your lookup to use CIDR matching, let's say you called your lookup ip_owner. If you have a base search already and just want to retain the events from your search that match the CIDRs in the lookup:

your base search 
| lookup ip_owner range AS ip_address OUTPUT owner
| where isnotnull(owner)
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...