IP addresses, on their own, can only give a tiny glimpse into their association, where they are from, or what they are for. You might be able to determine if an IP is from a private range, what asset it belongs to, or if it is from a well-known server, but in many cases, you might not know much about the IPs in question.
In this recipe, you will learn how to leverage Splunk's workflow functionality to search an IP address in your events against the ARIN (American Registry for Internet Numbers) database to look up more useful information about the IP in question, such as who the IP address is assigned to.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with navigating the Splunk user interface.
Follow the steps in this recipe to create a workflow action ARIN search for a given IP address:
- Log in to your Splunk server.
- Select the Operational Intelligence application.
- Click on the Settings menu.
- Click on the Fields menu option.
- Click on the Workflow actions link.
- Click on New.
- Ensure that the Destination app is the operational_intelligence app.
- Enter
ARIN_Lookupin the Name field. This name must not contain any spaces or special characters. It will be used as the internal name of the action and is not the text that will be made visible.
- Enter
Lookup $clientip$ in ARINin the Label field. The label is the text that will appear in the workflow dropdown. It can contain a field name enclosed with dollar signs, which will be replaced with the value of that field in the event. - Enter
clientipin the Apply only to the following fields field.
- In the Show action in dropdown, select Both, and in the Action Type dropdown, select link.
- In the URI field under Link configuration, enter
http://whois.arin.net/rest/ip/$clientip$and ensure that the Link method field is set to get.
- Click on Save to finish creating the workflow action.
- Let's now test the workflow action and see what it does. In a new search bar of your Operational Intelligence app, enter the following search over Last 15 minutes:
index=main sourcetype=access_combined
- Once the results are displayed, click on the little arrow next to an event, and then click on the Event Actions button. You will see an option in the dropdown to run the ARIN search on the
clientipaddress.
- Clicking on this option in the dropdown will open a new tab in the browser; this tab passes the IP address to https://www.arin.net/ and performs a
whoislookup. The results from https://www.arin.net/ will be displayed.
When your search results are rendered in the event listing, Splunk will match the returned fields and event types with the workflow actions you have configured and present the dropdown workflow actions as required. In this case, the clientip field was matched with the ARIN workflow action you created.
The basic GET link method used in this recipe inserts the variable value into the URI for the user to click on. In this case, the $clientip$ field variable inserts the IP address into the ARIN query URI, so that the IP is passed within the URI when it is clicked on. Other link methods are available and covered in other recipes in this chapter.
Workflow actions can be made to appear in both the Event Actions drop-down menu and the Action column in the row specific to the field in the event that the workflow action is set to work with.
By utilizing the field name substitution in the label and the URI, you can dynamically create a full assortment of workflow actions to enable your users to link to other internal or external resources.
While workflow actions can be a convenient way to link to external resources based on the presence of certain fields in your events, you sometimes need to further customize when particular actions are displayed.
Edit the workflow action that you created in this recipe, and in the Apply only to the following event types box, you can add in a comma-separated list of the event type names that this workflow action will be limited to.
Note
For more information on event types, see the Splunk documentation at http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes.