Splunk Search

How to use lookup for CIDR IP addresses?

jmartelon
New Member

Hello,

I am trying to lookup corresponding IP Addresses with my lookup table I created. Here is what I am trying to accomplish, my lookup table has 3 columns, Site, CIDR, and Description. When I do a search, I want to do something like this:

| makeresults | eval ip="10.170.92.51" | lookup sites_and_description.csv CIDR as ip

which, I get results that do not show the corresponding CIDR, description, or SiteCode, see below:

Description SiteCode    _time                      ip
1                       2018-02-15 10:57:56 10.170.92.51

Please assist, thanks!

0 Karma
1 Solution

micahkemp
Champion

In transforms.conf:

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is
  the default and does not need to be specified.  Only fields that should
  use WILDCARD or CIDR matching should be specified in this list

So your transforms.conf for this lookup may look like:

[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)

View solution in original post

micahkemp
Champion

In transforms.conf:

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is
  the default and does not need to be specified.  Only fields that should
  use WILDCARD or CIDR matching should be specified in this list

So your transforms.conf for this lookup may look like:

[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)

Dworsnop
Path Finder

Hi, quick question about your solution.

In a distributed environment where you have a Heavy Forwarder, Indexer, Licence manager/Deployment server, and Search Head, which system(s) would you have to edit the transforms.conf on?

Also, where would the csv containing the lookup data need to be stored? Would I just set it up as a normal data lookup file and would I also need to create a definition for it or is that what the transforms.conf entry effectively does?

Thanks very much in advance.

0 Karma

jmartelon
New Member

So I got this added in the transforms.conf file located at $SPLUNK_HOME/etc/system/local/

I re-ran the search, and still getting the same results.

0 Karma

micahkemp
Champion

You need to then run your search as:

| makeresults | eval ip="10.170.92.51" | lookup sites_and_description CIDR as ip

because sites_and_description is the name of your lookup in transforms (which has CIDR funcationality). If you lookup against sites_and_description.csv, you're not making use of the transform and hitting the CSV directly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...