Splunk Search

Lookup with CIDR

ccsfdave
Builder

Greetings,

I feel like this shouldn't be rocket science,but I just can't make it work.

Our internal network is pretty complicated with IPs assigned to departments in pretty granular form. I would like to do the hard work ahead of time and put our IPAM (IP Address Management) into a lookup table. I am trying on a very small sample first to get it working then will add the rest.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[ipam]
LOOKUP-ipam = ipam Dept OUTPUTNEW Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

So if I do a search of 10.17.10*.* I would like to get a new Department field created with the value of Rec and Park assigned to it.

Thanks.

Dave

Tags (2)
0 Karma
1 Solution

ccsfdave
Builder

So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.

The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

View solution in original post

ccsfdave
Builder

So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.

The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

ccsfdave
Builder

MHibbin,

So do I need the same stanza for each source type in props.conf?

0 Karma

MHibbin
Influencer

I completely overlooked that!

0 Karma

MHibbin
Influencer

Your lookup should probably be something like:

[ipam]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

I've note tested/tried this as I normally don't use the automatic lookups (for some reason).

MHibbin
Influencer

@ccsfdave, Hmmm... try changing the src_ip field in your lookup to srcip, and then change it in you transforms.conf. Then change the props.conf to the following:

LOOKUP-ipam = ipam srcip AS src_ip OUTPUTNEW Dept AS Department

0 Karma

ccsfdave
Builder

Hmm, I get:

[DT-SPLK-Idx] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'ipam' and lookup table 'ipam'.

After cutting and pasting your suggestion above. 😞 Thanks though!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...