Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

match_cidr = CIDR() config not working as expected

dm1
Contributor
‎08-15-2021 11:30 PM

So I need to run search on a firewall index where I need to look for field values matching from two lookup files, one is src.csv and dst_withsubnets.csv and output corresponding fields

Test SPL from my lab

| makeresults |eval  src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop"
| join src_ip
    [| inputlookup src.csv
    | rename src AS src_ip]
| join dest_ip
    [| inputlookup dst_withsubnets.csv
    | rename dst AS dest_ip ]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

src.csv

1.1.1.1

dst_withsubnets.csv

 

dst
192.168.1.0/24

 

As you can notice, the SPL is searching for dest_ip in a lookup that only has destination subnets. To make it work, I have also added following transforms.conf

[dst_withsubnets]
filename = dst_withsubnets.csv
match_type = CIDR(dst)
max_matches = 1

 

However, its still not working

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2021 07:13 PM

So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so 

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]

which will filter your search. For the CIDR one, you can use the lookup, but do this

| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)

which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2021 12:10 AM

The way to use lookups is not the way you are doing it. Use the lookup command not join/inputlookup

| makeresults 
| eval src_ip="1.1.1.1", src_translated_ip="3.3.3.3", dest_ip="192.168.1.1", dest_port=443, action="drop" 
| lookup src.csv src as src_ip 
| lookup dst_withsubnets dst as dest_ip 
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

As for the CIDR variant - that comes from the lookup definition dst_withsubnets - NOT the csv file, so will never work with inputlookup/join anyway.

 

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎08-16-2021 02:34 AM

@bowesmana I tried your suggestion but getting below error

Error in 'lookup' command: All of the fields in the lookup table are specified as lookups, leaving no destination fields.

Below is the screenshot
splunk.PNG

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-16-2021 07:13 PM

So, if you're looking to use the lookup addresses as constraints, then you can use the src.csv as a subsearch, so 

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]

which will filter your search. For the CIDR one, you can use the lookup, but do this

| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)

which will output the found addresses to a new field, dst_match and then you can check that it has found a match with the where clause.

 

0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎08-16-2021 08:37 PM

@bowesmana I want not only the src lookup but the dest lookup with subnets also to act as constraint for that search.

So, should I do it this way?

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
[| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)]
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

or without the [] for dest_withsubnets

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

 Tried both methods, none worked unfortunately.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

dm1
Contributor
‎08-16-2021 10:15 PM

Thanks @bowesmana !!! Really appreciate your help!

Below SPL worked for me

<your_search> [ | inputlookup src.csv | rename src as src_ip | fields src_ip ]
| lookup dst_withsubnets dst as dest_ip OUTPUT dst as dst_match
| where isnotnull(dst_match)
| table _time, src_ip, src_translated_ip, dest_ip, dest_port, action

 

Reply
Get Updates on the Splunk Community!

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...