I have been trying to create a basic lookup within Splunk where we can search an IP and get back some information.The csv i have is a list of all our various subnets alongside some other information . For example
Range Info
x.x.x.x/24 CountryA
x.x.x.0/28 CountryB
10.10.10.0/22 CountryA_PrivateLan
I have added this config to the local app's transforms file :
[network_ranges]
filename = network_ranges.csv
min_matches = 1
default_match = NONE
match_type = CIDR(Range)
If I do the below search I get 0 results
|inputlookup network_rangeswhere where Range=10.10.10.10
The only way I get any results is if I match exactly the CIDR string which obviously isn't helpful.
Any help would be greatly appreciated
PS. At the moment this is just to be used to find further information for specific IP's, no short-term plans to use this information in 'traditional' search results
I think you may have misunderstood how the CIDR matching on lookups works.
First of all inputlookup
is just a way to read stuff from a lookup file and make the fields in that file available to the rest of the search pipeline. The where
argument only provides basic filtering capabilities. The CIDR match applies when using the lookup
command (or if the lookup is performed implicitly). You'd match it against specified data from a search pipeline, and Splunk would compare the IP address provided in the data to the CIDR ranges defined in the lookup to see if the IP belongs to any of them.
If you don't have any data to match against but just want to specify an IP that is matched using CIDR, you could do something like
| makeresults | eval ip=10.10.10.10 | lookup network_ranges Range as ip OUTPUT Info | table ip Info
I think you may have misunderstood how the CIDR matching on lookups works.
First of all inputlookup
is just a way to read stuff from a lookup file and make the fields in that file available to the rest of the search pipeline. The where
argument only provides basic filtering capabilities. The CIDR match applies when using the lookup
command (or if the lookup is performed implicitly). You'd match it against specified data from a search pipeline, and Splunk would compare the IP address provided in the data to the CIDR ranges defined in the lookup to see if the IP belongs to any of them.
If you don't have any data to match against but just want to specify an IP that is matched using CIDR, you could do something like
| makeresults | eval ip=10.10.10.10 | lookup network_ranges Range as ip OUTPUT Info | table ip Info