I'm running Splunk 6.5. I see Min Matches, Max Matches, and Default Matches. I would like to define a lookup table that uses CIDR ranges. Is this a permissions issue, a version issue, or a configuration issue? I've see screen shots that suggest their should be match_type field in advanced options. I don't have access to modify transforms.conf directly.
Thanks.
pk
I am pretty sure they enabled CIDR (match_type) option in recent versions (7.0+ versions) of splunk. We cannot apply CIDR (match_type) in 6.5 version through UI in Advanced options.
So the only way to do this in versions prior to 7 is to manually edit that transform.conf file? Is a match_type of CIDR supported in 6.5 and just not available via the UI or is the feature absent altogether?
Typically yes!!! Editing the transforms.conf file is the only option.
Thanks so much for the info. At least I know where I stand. I have also found through a little experimenting in the UI that the match_type parameter is not preserved when I clone a definition where it is set. That seems like a bug to me...
What role do you have (for the user you're logging in as)?
Power User