topic Re: Transforms.conf not using match_type = CIDR(ip) when searching in All Apps and Add-ons

Transforms.conf not using match_type = CIDR(ip) when searching

mmqt — Wed, 12 Feb 2020 19:25:41 GMT

Leveraging the app ASN Lookup Generator - https://splunkbase.splunk.com/app/3531/ to build a lookup table for that has the following in a lookup table called 'asn'

the transforms.conf file has the following - note I commented out max_matches to test, with or without that line commented it still wont return results

# cat TA-asngen/default/transforms.conf
[asn]
filename = asn.csv
match_type = CIDR(ip)
#max_matches = 1

If I run the following search

| makeresults |eval src="1.0.0.1"| lookup asn ip as src

Nothing is matched, but it should be matched to asn 1335, any thoughts? I feel like I'm doing something wrong

Re: Transforms.conf not using match_type = CIDR(ip) when searching

to4kawa — Wed, 12 Feb 2020 21:21:22 GMT

your query, lookup asn ,not asn.csv

Re: Transforms.conf not using match_type = CIDR(ip) when searching

mmqt — Wed, 12 Feb 2020 23:46:16 GMT

changing the query to asn.csv still does not provide any ip transformation.

Re: Transforms.conf not using match_type = CIDR(ip) when searching

to4kawa — Thu, 13 Feb 2020 08:52:54 GMT

link text

how's props.conf?

Re: Transforms.conf not using match_type = CIDR(ip) when searching

mmqt — Thu, 13 Feb 2020 17:18:28 GMT

No props as this is not intended to be an automatic lookup, this lookup is called on demand for any sourcetype that contains an IP.

Props would just remove the need to put in ip as src OUTPUTNEW asn

Which is not the problem I'm trying to solve

Re: Transforms.conf not using match_type = CIDR(ip) when searching

anmolpatel — Mon, 02 Mar 2020 00:18:31 GMT

did you run the below?

| extract reload=T

Re: Transforms.conf not using match_type = CIDR(ip) when searching

mmqt — Thu, 19 Mar 2020 17:22:00 GMT

I needed to reboot the instance for it to recognize the input, after the reboot it worked