12-18-2017 06:02 AM
It would appear that there is no way to use a csv lookup with subnets in CIDR notation and have the lookup type match IP's to that table. All the splunk documentation says to put these lines in the transforms.conf... but because we have no access to that file, and there is no choice for CIDR in the GUI, it appears this is blocked.
Is there an already existing lookup that can be cloned so we can get this option?
match_type = CIDR(ip)
12-18-2017 09:42 AM - edited 12-18-2017 09:43 AM
It appears that CIDR matching is just not something that Infoblox has made available. None of the infoblox's built in lookups use it. I can find no way to take a random IP in the reporting tool and look it up to find out what internal network it is a member of, either though the IPAM indexes or through a manually imported CSV of networks.
12-21-2017 08:57 AM
Without a CIDR match option, the ability to get to the EA's in the networks and use them within the reporting is very difficult.
My current compromise is to export all the networks out of Infoblox. Trim down the CSV to just the EA's I'm interested in, then generate a new column with just the first 3 octets of the IPV4 address and de duplicate that information. I upload this "limited" list just of the first three IPV4 octets as a CSV lookup into the reporting tools. I can then match the first 3 octets of an IP in the reporting tool against this CSV. This gets me half way to the goal. I can now take a random IP in the reporting tool and at least get back to the physical site it is at, usually. (as we rarely split a /24 between physical sites) I still cannot get to the subnet specific information for anything less than a /24. And for anything that is a /24 or bigger, it breaks for all the clients beyond the first /24 in a /22 in the subnet for example. The larger subnets could be fixed with some code before the CSV is imported or with some Splunk logic that subtracts 1 from the 3rd octet until a match is found. Not sure which is a better solution yet.
This does allow me to now get some "iplocation" mapping on our internal private network. I can also include items like physical site, contact information, wired vs wireless in things like RPZ reports. It’s getting there, it’s just a very long way to go to pull marginally correct data from within a tool that is the safe source for that data.