I am trying to use a text box for an input, so I can input an IP address, and then perform a CIDR lookup with a lookup table that I currently have.
I’ve tried to use an eval command for CIDR matching, however it seems that the eval version of CIDR matching requires that the input be a single IP, and that I type in the prefix manually, which I have far too many of in the lookup table.
What I mean is this.
If I have the address: 192.104.169.139
I know that this is in this subnet range:
ext_ip,description
192.104.169.128/25,vendor_name
I need to be able to punch in the 192.104.169.139 into a text field, and then have it lookup the range, and return the ‘description’ field in a table within a dashboard.
Is there a way to use the eval command for this? I am attaching the XML I am using below:
<form>
<label>test input field</label>
<description/>
<fieldset submitButton="false">
<input type="text" token="code" searchWhenChanged="true">
<label>Input vendor code</label>
</input>
</fieldset>
<row>
<panel>
<table>
<searchString>| inputlookup vendor_lookup.csv | search code=$code$ | table description</searchString>
</table>
</panel>
</row>
</form>
You can try the following search (works with KV Store lookup where match_type=CIDR(ip) is specified in transforms.conf):
| makeresults
| eval query_ip="192.104.169.139"
| lookup lookup_table_name ip AS query_ip OUTPUT ip description
| fields - _time
| transpose
checkout http://answers.splunk.com/answers/39885/match-an-ip-with-a-cidr-mask-into-a-csv-file. I believe this what you want.