What I am trying to do is find what group a client IP belongs to. I have some existing assets (lookup csv) which ideally could be used in their current form. I have seen some posts similar but nothing to get me all the way there.
Base Search:
index=security sourcetype=cisco mickey_mouse duration=*| rex "outside:(?
This gives me a new field of ip with the IP that the user has been assigned from the VPN. I then want to use this IP to find the group from this csv:
IP_Address Mask Group_Name
10.3.208.128 255.255.255.192 NYC
10.3.202.128 255.255.255.192 SF
10.3.217.64 255.255.255.192 SD
10.3.227.0 255.255.255.0 callcntr
So if the result from Mickey Mouse gaining VPN access is that he is given a 10.3.227.13. I would like to have a new field (maybe named "group") return "callcntr".
Thanks!
No luck so far. Been at it for a couple hours this morning looking at a previous question and answer which is very similar: http://answers.splunk.com/answers/93620/lookup-with-cidr.html but still I cannot figure out what's going on.
So let's clean it up and lay it all out again:
Search: index=security sourcetype=cisco_asa mickey_mouse duration=*| rex "outside:(?< vpn_ip >\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)"
- this will extract the IP I want to use to look up in the lookup table.
props.conf: [security]
LOOKUP-vpn_group = VPNGroup vpn_ip OUTPUTNEW Group_Name AS VPNGroup
transforms.conf: [VPNGroup]
filename = CIDR_VPN_Groups.csv
match_type = CIDR(CIDR_Address)
lookup file - /opt/splunk/etc/apps/search/lookups/CIDR_VPN_Groups.csv : CIDR_Address,Group_Name
10.1.x.x/26,fantasy_land
10.1.x.x/26,tomorrow_land
10.1.x.x/26,frontier_land
In the previous link, this results in a new field appearing in my results which I would expect to be VPNGroup.
Thanks.
Dave
No luck so far. Been at it for a couple hours this morning looking at a previous question and answer which is very similar: http://answers.splunk.com/answers/93620/lookup-with-cidr.html but still I cannot figure out what's going on.
So let's clean it up and lay it all out again:
Search: index=security sourcetype=cisco_asa mickey_mouse duration=*| rex "outside:(?< vpn_ip >\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)"
- this will extract the IP I want to use to look up in the lookup table.
props.conf: [security]
LOOKUP-vpn_group = VPNGroup vpn_ip OUTPUTNEW Group_Name AS VPNGroup
transforms.conf: [VPNGroup]
filename = CIDR_VPN_Groups.csv
match_type = CIDR(CIDR_Address)
lookup file - /opt/splunk/etc/apps/search/lookups/CIDR_VPN_Groups.csv : CIDR_Address,Group_Name
10.1.x.x/26,fantasy_land
10.1.x.x/26,tomorrow_land
10.1.x.x/26,frontier_land
In the previous link, this results in a new field appearing in my results which I would expect to be VPNGroup.
Thanks.
Dave
I ended up copying almost exactly my previous post: link text But nothing was showing up, until I change my search to include VPNGroup = * and then the field appeared, even though I bounced splunk. So who knows whether what I have in my comment above was working but not showing to me...
Change your lookup to encompass cidr ranges - I think thats what you're looking for:
See this answer: http://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html
@ccsfdave - does this help at all ?
@aljohnson_splunk - I converted my lookup into a new lookup with CIDR format but ran out of time yesterday and won't get back to it until tomorrow morning. Thanks for checking in. I'll let you know how it goes.
I could swear I have a similar search somewhere in my environment, hopefully I do and I can leverage that solution as well.
Dave
You could actually do this with just the eval
command using the cidrmatch
function. (docs)
Here is the example from the docs:
This example uses cidrmatch to set a field, isLocal, to "local" if the field ip matches the subnet, or "not local" if it does not:
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")
This example uses cidrmatch as a filter:
... | where cidrmatch("123.132.32.0/25", ip)
In your case however, you are probably going to want to use the case
function rather than the if
function.
... | eval group = case(cidrmatch("10.3.227.0/24", ip), "callcntr", cidrmatch("10.3.217.64/cidr_range", ip), "SD" ...
@aljohnson_splunk the problem with the example is that I have 165 groups so the eval would be really long...
@ccsfdave did you see my comment (converted to answer) to the main question ? you could maybe use cidr ranges in the actual lookup ?
If you wrote the eval one time and saved it as a macro, at least you'd only have to do it once 😛 but I hear what you're saying
cidr ranges : http://www.aelius.com/njh/subnet_sheet.html