https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70537#M17646 <P>Thank you !!!. But all of this i can use in the Lookup spreadsheet?</P> <P>where clientip is the input filed and WhitelistIPs is the output field..</P> <P>so the data would be like this?<BR /> WhitelistIPs clientip<BR /> Company XXX cidrmatch("65.222.163.0/27",clientip) <BR /> Company YYYY 63.158.163.8</P> Thu, 20 Jun 2013 18:40:06 GMT xvxt006 2013-06-20T18:40:06Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70535#M17644 <P>Hi, i have a lookup table where i have the below values</P> <P>My questions are:<BR /> When i specify CIDR block would it work? or do i need to specify each ip?<BR /> we have set of internal ips which you can see in the below table. I have specified <CODE>.*</CODE> in the IPs. For example <CODE>10.*</CODE>.Would it consider all the ips that start with 10.<BR /> is it possible to specify a NOT logic? meaning NOT all the internal requests as external. so it would be <CODE>^10.*</CODE></P> <PRE><CODE>WhitelistIPs clientip Company XXX 63.122.163.0/27 Company YYYY 63.158.163.8 Company YYYY 64.274.165.6 Company YYYY 38.172.74.18 Company YYYY 12.298.108.202 Company YYYY 67.247.113.226 Company ZZZZ 74.189.118.39 Company ZZZZ 74.129.118.40 Internal 10.* Internal 167.115.* Internal 192.168.* Internal 63.85.20.233 </CODE></PRE> Thu, 20 Jun 2013 16:37:48 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70535#M17644 xvxt006 2013-06-20T16:37:48Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70536#M17645 <P>You can use <CODE>cidrmatch("65.222.163.0/27",clientip)</CODE> for exact matches. For something which starts with 10, you can use match(). Example : <CODE>match(Internal, "10.\d{1,3}.\d{1,3}.\d{1,3}")</CODE> </P> <P>You can use NOT logic too. </P> Thu, 20 Jun 2013 18:01:40 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70536#M17645 theouhuios 2013-06-20T18:01:40Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70537#M17646 <P>Thank you !!!. But all of this i can use in the Lookup spreadsheet?</P> <P>where clientip is the input filed and WhitelistIPs is the output field..</P> <P>so the data would be like this?<BR /> WhitelistIPs clientip<BR /> Company XXX cidrmatch("65.222.163.0/27",clientip) <BR /> Company YYYY 63.158.163.8</P> Thu, 20 Jun 2013 18:40:06 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70537#M17646 xvxt006 2013-06-20T18:40:06Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70538#M17647 <P>It will depend. I guess you would need to set up your loookup in a way that it can give the clientip as output along with WhitelistIps. So for clientip as Input, both Clientip and WhitelistIp's need to be output. Then you can use the above functions and play around.</P> <P>Do accept the answer if it works for you. Thanks</P> Thu, 20 Jun 2013 22:11:45 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70538#M17647 theouhuios 2013-06-20T22:11:45Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70539#M17648 <P>You can't both have wildcard matching and cidr - it has to be one of them (and you need to specify that in <CODE>transforms.conf</CODE>)</P> Fri, 21 Jun 2013 09:07:18 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70539#M17648 Ayn 2013-06-21T09:07:18Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70540#M17649 <P>Yup that's right.</P> Fri, 21 Jun 2013 14:22:11 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-question/m-p/70540#M17649 theouhuios 2013-06-21T14:22:11Z