CIDR Lookup in Splunk
Today we will try to configure the CIDR lookup. CIDR or CIDRMATCH is a function which filters IP’s.
Let’s take an example,
We have a lookup file named “ip_office.csv”, which consists of all the office IP addresses with their subnet range.
Now we have an index called “IP”. Where we are gathering all the IPs are being used for our services and now we want to identify those IPs which are not part of the office. However, we want to recognize all the IPs which don’t belong to our organization.
For that particular requirement, we need to create a “CIDR Lookup”.
Go to Setting and click on Lookups
Now click on “Lookup Definitions” and “New”
Destination app: <choos the app>
Name: <set a name of the defination>
Type: File-Based
Lookup file: select the name of the lookup
Click on advanced options
Minimum matches: 1
Match type: CIDR(<name of the field which consists of IP>)
And Save the lookup.
Now go to the search,
index=ip
|lookup ip_office ip OUTPUT is_office
|table ip is_office
Explanation:
We are using the “lookup” command to fetch data from “ip_office”. Therefore we have used “IP” as a common field between lookup and the indexed data, and after then using the “OUTPUT” function we have extracted “is_office” field from lookup.
As you can see in the lookup we have an entry “203.34.34.0/27”, which means it will recognize 203.34.34.0-203.34.34.27 all as an office IP.
This is how we can identify all the NULL values in the “is_office” field are IPs from outside of the organization.
Suggestions:
LOOKUPS – LOOKUP TABLE FILES ( PART – 1 )
Lookups – Lookup Definition and Automatic Lookup ( Part – 2 )
That’s all about this blog “CIDR Lookup in Splunk“.
Happy Spunking!!