All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to convert IP groups to name.

lakromani
Builder
‎06-05-2014 05:15 AM

I have some data like this:

6/5/2014 2:03:57 PM 0ACC PACKET  00000000070FAEC0 UDP Snd 10.253.70.49    81c5 R Q [8381   DR NXDOMAIN] AAAA   (7)he12343(5)user(4)ld(2)uk(0)

I can get the IP to a field by using "field extraction" like this:

UPD Snd (?<client_ip>[^ ]*)

It will then show up like this client_ip=10.253.70.49

I would like to get a field with name location

It should be some like this location=london based on:

london
client_ip="10.253.70.0/23"

dublin
client_ip="10.253.72.0/23"

This way I can quick see where users are located.

0 Karma
Reply

treinke
Builder
‎06-05-2014 06:16 AM

The best way for this is to use lookup tables. Since they are internal ip addresses, you can create a csv file and then tell Splunk to reference that for the location.

Here is the documentation setting up lookups:
http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Addfieldsfromexternaldatasources

There are no answer without questions
Reply

treinke
Builder
‎06-06-2014 06:22 AM

Splunk does understand ip subnets so I would think so.

There are no answer without questions
0 Karma
Reply

lakromani
Builder
‎06-05-2014 07:11 AM

Hi, and thanks for the answer. Will the csv file handle eks "10.253.70.0/23,London" (ragnges if IP) so that I do not need to add one and one IP. With millions IP, that wold take time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...