Spread our blog

CIDR Lookup in Splunk

Today we will try to configure the CIDR lookup. CIDR or CIDRMATCH is a function which filters IP’s.

Let’s take an example,

We have a lookup file named “ip_office.csv”, which consists of all the office IP addresses with their subnet range.

Now we have an index called “IP”. Where we are gathering all the IPs are being used for our services and now we want to identify those IPs which are not part of the office. However, we want to recognize all the IPs which don’t belong to our organization.

For that particular requirement, we need to create a “CIDR Lookup”.

Go to Setting and click on Lookups

Now click on “Lookup Definitions” and “New

Destination app: <choos the app>

Name: <set a name of the defination>

Type: File-Based

Lookup file: select the name of the lookup

Click on advanced options

Minimum matches: 1

Match type: CIDR(<name of the field which consists of IP>)

And Save the lookup.

Now go to the search,

index=ip  
|lookup ip_office ip OUTPUT is_office 
|table ip is_office

Explanation:

We are using the “lookup” command to fetch data from “ip_office”. Therefore we have used “IP” as a common field between lookup and the indexed data, and after then using the “OUTPUT” function we have extracted “is_office” field from lookup.

As you can see in the lookup we have an entry “203.34.34.0/27”, which means it will recognize  203.34.34.0-203.34.34.27 all as an office IP.

You can also know about :  Trigger an alert For ANY Unique/NEW Incoming events or results

This is how we can identify all the NULL values in the “is_office” field are IPs from outside of the organization.

Suggestions:

LOOKUPS – LOOKUP TABLE FILES ( PART – 1 )

Lookups – Lookup Definition and Automatic Lookup ( Part – 2 )

That’s all about this blog “CIDR Lookup in Splunk“.

Happy Spunking!!

What’s your Reaction?
+1
+1
+1
+1
+1
1
+1
+1

Spread our blog

LEAVE A REPLY

Please enter your comment!
Please enter your name here