IP addresses, on their own, can only give a tiny glimpse into their association, where they are from, or what they are for. You might be able to determine if an IP is from a private range, what asset it belongs to, or if it is from a well-known server, but in many cases, you might not know much about the IPs in question.
In this recipe, you will learn how to leverage Splunk's workflow functionality to search an IP address in your events against the ARIN (American Registry for Internet Numbers) database to look up more useful information about the IP in question, such as who the IP address is assigned to.
To step through this recipe, you will need a running Splunk Enterprise server, with the sample data loaded from Chapter 1, Play Time – Getting Data In. You should be familiar with navigating the Splunk user interface.
Follow the steps in this recipe to create a workflow action ARIN search for a given IP address:
ARIN_Lookup
in the Name field. This name must not contain any spaces or special characters. It will be used as the internal name of the action and is not the text that will be made visible.Lookup $clientip$ in ARIN
in the Label field. The label is the text that will appear in the workflow dropdown. It can contain a field name enclosed with dollar signs, which will be replaced with the value of that field in the event.clientip
in the Apply only to the following fields field.http://whois.arin.net/rest/ip/$clientip$
and ensure that the Link method field is set to get.index=main sourcetype=access_combined
clientip
address.whois
lookup. The results from https://www.arin.net/ will be displayed.When your search results are rendered in the event listing, Splunk will match the returned fields and event types with the workflow actions you have configured and present the dropdown workflow actions as required. In this case, the clientip
field was matched with the ARIN workflow action you created.
The basic GET
link method used in this recipe inserts the variable value into the URI for the user to click on. In this case, the $clientip$
field variable inserts the IP address into the ARIN query URI, so that the IP is passed within the URI when it is clicked on. Other link methods are available and covered in other recipes in this chapter.
Workflow actions can be made to appear in both the Event Actions drop-down menu and the Action column in the row specific to the field in the event that the workflow action is set to work with.
By utilizing the field name substitution in the label and the URI, you can dynamically create a full assortment of workflow actions to enable your users to link to other internal or external resources.
While workflow actions can be a convenient way to link to external resources based on the presence of certain fields in your events, you sometimes need to further customize when particular actions are displayed.
Edit the workflow action that you created in this recipe, and in the Apply only to the following event types box, you can add in a comma-separated list of the event type names that this workflow action will be limited to.
For more information on event types, see the Splunk documentation at http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Abouteventtypes.
18.227.111.192