I'm trying to write a search for an asset lookup that I'm able to query to take a list of IPs and bring back the corresponding CIDR range and a criticality and then table them.
Example: One lookup table (assets) - host, ip
Another lookup table: (network_hierarchy) - CIDR, criticality
Ideally when we run the LDAP search that populates our host/ip list - I'd like to be able to use the IP to search the other lookup based on CIDR range and then return that result along with the criticality field back to the original table - ultimately getting one table with host, ip, CIDR, criticality - I just don't know how to make it function in order to have Splunk's logic match IP to it's CIDR range and then bring everything back into one lookup table.
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is
the default and does not need to be specified. Only fields that should
use WILDCARD or CIDR matching should be specified in this list