I have a lookup file called prefixes.csv, and it has about 5 headers:
prefix,location,description,owner
"1.0.0.0/8",usa,"corporate things", "joe schmoe"
I want to be able to reference this file so that, for example, if I am looking at firewall logs, I can ignore or , alternatively, specifically look for events where their src_ip falls into these ranges.
So for example, something like:
index=firewall src_ip=* | search NOT [ |inputlookup | field + prefix | rename prefix as src_ip]
I know that I can do something like this if I had every range expanded for single entries per IP, but is there a way to do this with cidr? I have tried doing the lookup definition route but I think I am missing something or misunderstanding something there.
Thanks in advance
__PRESENT
1.0.0.0/8 is a CIDR notation. Splunk lookup fully supports it. See Create a CSV lookup definition about how to setup "prefix" field as type CIDR.
1.0.0.0/8 is a CIDR notation. Splunk lookup fully supports it. See Create a CSV lookup definition about how to setup "prefix" field as type CIDR.
Looks like I just needed to set up the definition for 1 particular file that was I using for testing versus the others which already were set up. Thank you