Lookup: local_ip{ having fields threat_key, CIDR range, description}. I want to match ip from index=* to the column CIDR range of lookup where threat_key="abc". How we can do that
Hi! If I understand correctly, your lookup file (let's name it threats.csv) looks like this:
threat_key,cidr_range,description
abc,192.168.0.0/24,Threat A
...
First, you need to create a lookup definition. Go into Settings / Lookups / Lookup definitions. Create a new one and name it "threats_lookup". Select "File-based" and "threats.csv". Very important: Click on "Advanced options" and under "Match type" enter: CIDR(cidr_range).
Now you should be able to run your search as follows:
index=* ... | table local_ip,...
| eval threat_key="abc"
| lookup threats_lookup threat_key cidr_range AS local_ip OUTPUT description
Here threat_key need to be check in lookup table itself. Like threat_key coloumns can have many values such as
abc
xyz
but for the abc values only how can I compare from lookup.
So when you run your base seach (index=...) you get events which have both the local_ip field as well as the threat_key field. The threat_key field can have different values and only for threat_key="abc" you want to do the lookup. Do I understand correctly?
Hi! If I understand correctly, your lookup file (let's name it threats.csv) looks like this:
threat_key,cidr_range,description
abc,192.168.0.0/24,Threat A
...
First, you need to create a lookup definition. Go into Settings / Lookups / Lookup definitions. Create a new one and name it "threats_lookup". Select "File-based" and "threats.csv". Very important: Click on "Advanced options" and under "Match type" enter: CIDR(cidr_range).
Now you should be able to run your search as follows:
index=* ... | table local_ip,...
| eval threat_key="abc"
| lookup threats_lookup threat_key cidr_range AS local_ip OUTPUT description