Hi All 🙂
I may have had too much coffee, because I'm having some trouble getting my head around this one.
I have a some web logs in which I have used Splunk to extract out a list of unique source IP addresses for incoming customer requests, and I would like to find out what ISP the requests originated from.
I have created a csv lookup table from the output of a 'show ip bgp' and a scripted 'whois' that is structured as follows:
220.127.116.11/19,9268,Over The Wire Pty Ltd
So as far as my caffeine-riddled bloodsystem can tell I need to:
eg. The IP address
18.104.22.168 will be a unique match, as will
isp-nameas my report sees fit
eg. Two from the example listed above.
...and I'm stuck on... step 1.
Is it possible to evaluate to see if a
client_ip is present in a network range that is in an external lookup table, or am I going to need to script this up?
I'm running 4.2 and I have seen the
cidrmatch command as well as the Splunk>Answers "How to best determine IP range membership?", however when dealing with 100,000+ routes I'm not sure this is the correct tool or way to do this.
As always, any help or suggestions gratefully received 🙂
As of Splunk 4.2 you can specify a
match_type for a lookup in transforms.conf. See http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf
Setting the match_type to
CIDR for your IP range field is probably what you are looking for.
[mylookup] filename = isp.csv match_type = CIDR(network-range)
Yep, that worked a treat! Interesting sidenote... the change to use:
matchtype = CIDR(network-range)
Can't be done via the GUI which is fine, however if you make any changes in the GUI after doing this (eg. maxmatches = 1), then the transforms.conf is reset to the values that may ONLY be set via the GUI.
That is to say, I lost my match_type command.
Thanks again 🙂