Splunk Search

Lookup with CIDR

ccsfdave
Builder

Greetings,

I feel like this shouldn't be rocket science,but I just can't make it work.

Our internal network is pretty complicated with IPs assigned to departments in pretty granular form. I would like to do the hard work ahead of time and put our IPAM (IP Address Management) into a lookup table. I am trying on a very small sample first to get it working then will add the rest.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[ipam]
LOOKUP-ipam = ipam Dept OUTPUTNEW Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

So if I do a search of 10.17.10*.* I would like to get a new Department field created with the value of Rec and Park assigned to it.

Thanks.

Dave

Tags (2)
0 Karma
1 Solution

ccsfdave
Builder

So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.

The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

View solution in original post

ccsfdave
Builder

So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.

The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

ccsfdave
Builder

MHibbin,

So do I need the same stanza for each source type in props.conf?

0 Karma

MHibbin
Influencer

I completely overlooked that!

0 Karma

MHibbin
Influencer

Your lookup should probably be something like:

[ipam]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

I've note tested/tried this as I normally don't use the automatic lookups (for some reason).

MHibbin
Influencer

@ccsfdave, Hmmm... try changing the src_ip field in your lookup to srcip, and then change it in you transforms.conf. Then change the props.conf to the following:

LOOKUP-ipam = ipam srcip AS src_ip OUTPUTNEW Dept AS Department

0 Karma

ccsfdave
Builder

Hmm, I get:

[DT-SPLK-Idx] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'ipam' and lookup table 'ipam'.

After cutting and pasting your suggestion above. 😞 Thanks though!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...