i try to find the correct way to query a lookup file based on a where clause with CIDRMATCH.
I have the following scenario:
We have a lookup table that contains a mapping between our customers and IP Address ranges that are assigned to them. So, the lookup table looks like the following example:
CusomterName Prefix Customer A 10.1.1.0/24 Customer B 172.16.42.0/16 Customer C 192.168.1.0/24
Additionally, we have sFlow Data that contains explicit IP Addresses as source and destination information. We would like to add a field to each event that holds the CustomerName based on a cidrmatch query of the source or dest IP Address.
I can query the lookup table with cidrmatch to get the required information with the following query:
| inputlookup tenants.csv | where (cidrmatch(myprefix,"10.66.148.3")) | fields customer | dedup customer
And I can query the sFlow Data to show the Connections information that comes from the sFlow Data, but I didn’t find a way to combine these two queries to get the result I want.
For example, I tried it with eval and inputlookup:
source="stream:sflow" | eval Customer=[| inputlookup tenants.csv | where (cidrmatch(myprefix,dest_ip)) | fields customer ]
Maybe someone can give me a hint how this should or can work!
Thanks in advance
You can not perform a CIDR match for a lookup without first creating a lookup definition and specifying which field is a wildacard(cidr) match.
In order to do what you want, you must create a lookup definition first.
At that point you can use the lookup like this:
| lookup tenants_definition_name prefix as dest_ip OUTPUT CustomerName as Customer