Splunk Search

How to match an IP to CIDR Range to get Criticality for ES?


I'm trying to write a search for an asset lookup that I'm able to query to take a list of IPs and bring back the corresponding CIDR range and a criticality and then table them.
Example: One lookup table (assets) - host, ip


Another lookup table: (network_hierarchy) - CIDR, criticality
CIDR                          Criticality             Critical

Ideally when we run the LDAP search that populates our host/ip list - I'd like to be able to use the IP to search the other lookup based on CIDR range and then return that result along with the criticality field back to the original table - ultimately getting one table with host, ip, CIDR, criticality - I just don't know how to make it function in order to have Splunk's logic match IP to it's CIDR range and then bring everything back into one lookup table.

Any help would be much appreciated!!

0 Karma


Probably this might help you . You can mention match_type as CIDR(cidr_range)


From the transforms.conf

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is
  the default and does not need to be specified.  Only fields that should
  use WILDCARD or CIDR matching should be specified in this list
0 Karma