Re: Use lookup file to match IP address from SPL q...

luigilombardi · ‎05-23-2018

I have a CSV file ip_ranges that contains a list of ip_ranges along with the appropriate tag for that ip range. The CSV file is in the following format (data is made up for this example):

ip_range tag
10.0.1.0/24 TAG1
10.0.2.0/24 TAG2
10.0.3.0/24 TAG3
10.0.4.0/24 TAG4
10.0.5.0/24 TAG5
.
.
.
10.0.100.0/24 TAG100

What I am trying to do is create a search that uses the lookup table ip_ranges and goes through the first column (excluding the first row which is field name/header) and checks to see if an IP address clientip (returned field from search results) falls within any of the ranges. If clientip falls in one of those ranges, the appropriate "tag" field is returned.

The end result of the search should be a table of two columns: Client IP and Tag. The purpose of the search is to automatically link IP address to tag.

I am a newcomer to the Splunk search language so anybody help/advice would be greatly appreciated.

somesoni2 · ‎05-23-2018

You'd need to setup a CIDR match lookup definition so that you can match your clientip field with CIDR ranges in the lookup table. Have a look at great answer by @kristian.kolb here which gives your all the steps to setup an automatic lookup with cidr match.

https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html

Use lookup file to match IP address from SPL query field to IP range in CSV file and return pertinent information for the range

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...