Have not had luck with this yet. I am looking at all of my "blocked" traffic in the firewall logs and hope to weed out the traffic heading for "known" network to look at the stuff that is "unknown". I hope to udpate a lookup table that will be my "filter" list. Here is an example of what is in there:
CIDR, Net_Name
10.0.0.0/8,Internal
172.16.0.0/12,Internal
192.168.0.0/16,Internal
169.254.0.0/16,Internal
74.125.0.0/16, 3rd_Party_Trusted-Google
65.52.0.0/14, 3rd_Party_Trusted-Microsoft
75.75.72.0/21, Consumer_ISP-Comcast
Basically I would like to say
sourcetype=firewall action=drop | if "dst" is in any CIDR then remove from search | stats dc(src) by dst, proto, dst_port | sort dc(src) desc
The bit in the middle is what I have issue with. I have seen the format and it looks to have OR's between each value, not sure if you can do that for a dst!=.
| inputlookup known_networks.csv | fields CIDR | format
( ( CIDR="10.0.0.0/8" ) OR ( CIDR="172.16.0.0/12" ) OR ( CIDR="192.168.0.0/16" ) OR ( CIDR="169.254.0.0/16" ) OR ( CIDR="127.0.0.0/8" ) OR .....
Have a look at lookup match_type, specifically change it to cidr
Then once you have matched it you could use a where clause to filter out traffic
This should help:
http://splunk-base.splunk.com/answers/5916/using-cidr-in-a-lookup-table
This is related, and may be useful --
http://splunk-base.splunk.com/answers/57094/join-ip-with-a-subnet
Also, you might be able to do some of this in this manner:
sourcetype=firewall action=drop NOT
[ | inputlookup known_networks.csv | fields CIDR ]
| stats dc(src) by dst, proto, dst_port
| sort dc(src) desc