- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup Source IP or Destination IP value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
My journey continues. Now I would like to have a lookup match either the source or destination IP to an internal department.
This works for src_ip:
transforms.conf
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
props.conf
[pan_threat]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
ipam.csv
src_ip,Dept
10.1.15.0/24,Dept 1
10.1.16.0/24,Dept 1
10.8.1.0/18,Dept 2
10.9.1.0/19,Dept 3
Now I would like to do the same with destination IP.
I tried:
transforms.conf
[dst_ip]
filename = ipam.csv
match_type = CIDR(dst_ip)
props.conf
[pan_threat]
LOOKUP-dst_ip = ipam dst_ip OUTPUTNEW Dept AS Department
ipam.csv
dst_ip,src_ip,Dept
10.1.15.0/24,10.1.15.0/24,Dept 1
10.1.16.0/24,10.1.16.0/24,Dept 1
10.8.1.0/18,10.8.1.0/18,Dept 2
10.9.1.0/19,10.9.1.0/19,Dept 3
But no luck. Thoughts on this would be very much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The secret sauce on this was the class name - they have to be different but the field name can be the same. Precedent will take place if src and dst are both in the 10.x.x.x range (in above example)
[cisco_asa]
LOOKUP-ipam_source = ipam_src src_ip OUTPUTNEW Dept AS Department
LOOKUP-ipam_destination = ipam_dest dest_ip OUTPUTNEW Dept AS Department
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The secret sauce on this was the class name - they have to be different but the field name can be the same. Precedent will take place if src and dst are both in the 10.x.x.x range (in above example)
[cisco_asa]
LOOKUP-ipam_source = ipam_src src_ip OUTPUTNEW Dept AS Department
LOOKUP-ipam_destination = ipam_dest dest_ip OUTPUTNEW Dept AS Department
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go back to what you have at the top. You don't want a field declared as a source type.
I would also change your lookup table back to single column as you have in first example. Change src_ip field header to just ip.
Then change this:
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
To:
LOOKUP-ipam_src = ipam ip AS src_ip OUTPUTNEW Dept AS Src_Department
LOOKUP-ipam_dest = ipam ip AS dest_ip OUTPUTNEW Dept AS Dest_Department
That will auto lookup your src_ip and dest_ip as ip from the file and return the results prefixed appropriately as Src_Department and Dest_Department.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer starcher, however, what I really want is one field "Department".
Thanks
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
