Export Infoblox IPv4 Networks into Splunk Lookup Table
I want to search for Infoblox subnets in Splunk using lookup tables like this:
|inputlookup infoblox-ipv4-network-export.csv | search | where cidrmatch(CIDR,"128.252.120.128") | table CIDR, address*, netmask*, EA-School, comment, domain_name
What follows are the steps to export the data from Infoblox, convert the address and netmask to a CIDR block, import the data into a Splunk lookup table, then search the data using CIDR matching syntax.
Technical Details
- First, export the data from Infoblox using the Global CSV export console (Data Management -> IPAM -> CSV Job Manager -> CSV Export -> +):
- Uncheck all the export objects and select
IPv4 Networkonly:
-
Click
Export Data. Depending on the size it will take a while to export. -
When the export job is complete, click the hamburger menu and select
Download file:
-
The CSV export writes networks in
address / netmaskformat, it does not contain CIDR addresses. To use thecidrmatch()function in Splunk, we must add a CIDR address. Use this Python script to compute a /CIDR and add an additional column to each row with the new value:#!/usr/bin/env python3 import csv from ipaddress import IPv4Network with open('infoblox-ipv4-network-export.csv', 'r') as fin: reader = csv.reader(fin, delimiter=',') with open('new_infoblox-ipv4-network-export.csv', 'w') as fout: writer = csv.writer(fout, delimiter=',') # set headers here, grabbing headers from reader first writer.writerow(next(reader) + ['CIDR']) for row in reader: address = row[1] network = row[2] cidr = IPv4Network(address + '/' + network).prefixlen row.append(address + '/' + str(cidr)) writer.writerow(row) -
Import the CSV data into a Splunk lookup table (Settings -> Lookups -> Lookup table files -> + Add New):
- Use Splunk to query the data using a CIDR match:
|inputlookup infoblox-ipv4-network-export.csv | search | where cidrmatch(CIDR,"128.252.120.128") | table CIDR, address*, netmask*, EA-School, comment, domain_name
