- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filter results by IP address from 3 lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Filter results by IP address from 3 lookup
Hello
i have one trouble, i went to extract IP address that not in Lookup of list servers and not in lookup of list network devices, and this IP must match with list of Subnet define in lookup. the gol of this request it's to find unknown IP address.
this is structure of lookup CSV
Subnet.csv
Attribution Plage
SubnetX 10.10.0.0/16
Subnety 10.15.0.0/16
Subnetz 10.18.0.0/16
server.csv
Hostname IP_addresses
Host1 10.10.15.35
Host2 10.15.15.35
Host3 10.18.15.35
network.csv
Hostname IP_addresses
network1 10.10.16.35
network2 10.15.17.35
network3 10.18.18.35
for exemple if on my index i find IP like 10.18.18.36 that IP is not on server.csv and network.csv but match with subnet 10.18.0.0/16 i went to send ALERT but if this IP exist on lookup server or network isn't a problem.
this is my request :
index="DNS"
|dedup dns_ip
|rename dns_ip as IP_addresses
|search [| inputlookup subnet.csv | fields Plage| rename Plage as IP_addresses]
NOT
[|inputlookup server.csv|fields IP_addresses]
OR NOT
[|inputlookup Network.csv | fields IP_addresses]
| table IP_addresses
But this request give me all IP on lookup network and lookup server and match with lookup subnet, please any one can help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, set up your CIDR lookup. There's a description of that in this one ... https://answers.splunk.com/answers/618756/how-to-use-lookup-for-cidr-ip-addresses.html. and this one ... https://answers.splunk.com/answers/618756/how-to-use-lookup-for-cidr-ip-addresses.html
Second, search your CIDR first. After all, you only want to alert if it matches the subnet. If is does not match the subnet(s), then throw it away
Finally, search the known lists. In each case, if it matches, throw it away.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
In the description, you mention network.csv, but when you show the content of the csv files, server.csv has two different contents.
I suppose one of the two is in fact network.csv. Can you please update so I can have a look?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
can you help if you have any information about this request please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi yes you are right.
i have update the content of my request now you can look
thank you for your help
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
