Splunk Search

TA-asngen lookup - does it actually work?

howyagoin
Contributor

Been looking for a replacement for the GeoASN app that used to exist on Splunkbase for a while, and the TA-asngen (https://splunkbase.splunk.com/app/3531/) seemed to fit the bill.

However, even though it installs fine, and the initial asngen command generates the asn.csv correctly, I'm not able to get a lookup to actually work. This is on 7.0.5 or 7.2.4.2 - same result on either.

I have log data which has a field extracted as src_ip which is an IPv4 IP. I then do:

... | lookup local=t asn ip AS src_ip

But alas, whilst I certainly see my src_ip, I don't get the other fields from the lookup enriching the output.

I've also tried renaming my src_ip to just "ip" but that doesn't cut it either.

The TA defines the match_type as CIDR(ip) which makes sense, but I can't seem to get the fields shown. I have also tried an explicit OUTPUT for some of the field names, but, that also does not work.

Clearly I'm missing something trivially obvious. Permissions are correct, the files are the correct mode, I can see the content on disk, and running the command generates no errors. It also doesn't generate the expected output!

0 Karma

kellenarb
Engager

We just had the same issue. For us, the installer hadn't correctly increased the lookup max_memtable_bytes setting as described in the app documentation. Make sure your limits.conf looks like:

[lookup]
max_memtable_bytes = 30000000

 The default of 10mb isn't large enough to load the whole lookup, and thus your search will often fail to find the results you expect.

Hope this works for you too!

0 Karma

wharmsworth
Engager

Does the the following work?
| inputlookup asn

If so the following should work as well.

| inputlookup asn
| eval clientip="216.58.200.110"
| dedup clientip
| lookup asn ip AS clientip output asn autonomous_system ip
| rename ip AS ip_range
| iplocation clientip
| table clientip ip_range autonomous_system asn City Region Country lat lon

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...