Re: How to Normalize the IPs in lookup table which...

AL3Z · ‎12-19-2022

IPs in lookup table

3.124.56/32

64.37.99.0/24

55.63.24.7/16

How to edit my search to Exclude an IPs from outside to a Subnet IP in a lookup file?

scelikok · ‎01-17-2023

You can easily use inputlookup command. Assuming your subnets is in subnets.csv lookup with ip field. And your events are in src_ip field.

| search [|inputlookup subnets.csv | rename ip as src_ip]

If this reply helps you an upvote and "Accept as Solution" is appreciated.

starcher · ‎12-19-2022

Follow the Splunk docs to setup your lookup with a lookup definition and match type of CIDR for that column.

Then use the lookup as a lookup. The pattern is usually like the below to filter where in the lookup,

MYSEARCH
| lookup mylookup src OUTPUTNEW src as toFilter
| where isnotnull(toFilter)

yuanliu · ‎01-17-2023

To add to @starcher's instructions, I recently made this screenshot to help another question; the only difference is file name.

As shown here, you need to check "Advanced options" in order to set up CIDR match type.

As you are looking for non-matching entries, your filter should be isnull as opposed to isnotnull.

MYSEARCH
| lookup mylookup src OUTPUTNEW src as toFilter
| where isnull(toFilter)

AL3Z · ‎01-17-2023

How to normalize the IPs in lookup table which is in CIDR notation ?