Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can I make two lookup tables that specify the same output field name?

xvxt006
Contributor
‎06-24-2013 08:40 PM

Hi,

i have individual IPs and then CIDR blocks that i want to look up and group them using a look up table. I am assuming i cannot have both in the same .csv file as i have to add match_type = CIDR(clientip). Then it won't match the individual ips ( 63.158.163.8,64.274.165.6 in the list below). So i created 2 look up tables one for CIDR and one for individual IPs. Both of them i have output field as "Name". Question is would that work? is it possible to have same output field name in both the lookup tables? ideally i would like to have same Output name.

Name            clientip
Company XXX     63.122.163.0/27 
Company YYYY    63.158.163.8
Company YYYY    64.274.165.6
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-24-2013 10:56 PM

You don't need to have two separate lookup tables. Individual IP addresses can also be CIDR notated. The bitmask would be /32 (i.e. matching all the bits). So for instance instead of 63.158.163.8 write 63.158.163.8/32.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-24-2013 10:56 PM

You don't need to have two separate lookup tables. Individual IP addresses can also be CIDR notated. The bitmask would be /32 (i.e. matching all the bits). So for instance instead of 63.158.163.8 write 63.158.163.8/32.

Reply
Solved! Jump to solution

xvxt006
Contributor
‎06-27-2013 01:08 PM

Oh i just saw this response from my other thread. For some reason i did not get the email notification Ayn (which i generally get). Thanks for your help. I am not familiar with these CIDR formats. I will read it. Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎06-25-2013 06:14 AM

Are you familiar with how to notate networks in CIDR format? If you're not I suggest you go read up on it before using it in a lookup 🙂

63.123.45.* would be equivalent to 63.123.45.0/24 (3 octets filled --> 3*8 = 24) and 63.123.* equivalent to 63.123.0.0/16 (2*8 = 16)

Reply
Solved! Jump to solution

xvxt006
Contributor
‎06-25-2013 06:06 AM

For some reason in the above comment it is not showing star after the dot

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎06-25-2013 06:04 AM

Thank you Ayn. I did not know that. One other question i have around IPs is, if i have IPs like 63.123.45.* or 63.123.* something like that, how can i use them in lookup table?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...