Hello,
I am trying to lookup corresponding IP Addresses with my lookup table I created. Here is what I am trying to accomplish, my lookup table has 3 columns, Site, CIDR, and Description. When I do a search, I want to do something like this:
| makeresults | eval ip="10.170.92.51" | lookup sites_and_description.csv CIDR as ip
which, I get results that do not show the corresponding CIDR, description, or SiteCode, see below:
Description SiteCode _time ip
1 2018-02-15 10:57:56 10.170.92.51
Please assist, thanks!
In transforms.conf:
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is
the default and does not need to be specified. Only fields that should
use WILDCARD or CIDR matching should be specified in this list
So your transforms.conf for this lookup may look like:
[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)
In transforms.conf:
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is
the default and does not need to be specified. Only fields that should
use WILDCARD or CIDR matching should be specified in this list
So your transforms.conf for this lookup may look like:
[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)
Hi, quick question about your solution.
In a distributed environment where you have a Heavy Forwarder, Indexer, Licence manager/Deployment server, and Search Head, which system(s) would you have to edit the transforms.conf on?
Also, where would the csv containing the lookup data need to be stored? Would I just set it up as a normal data lookup file and would I also need to create a definition for it or is that what the transforms.conf entry effectively does?
Thanks very much in advance.
So I got this added in the transforms.conf file located at $SPLUNK_HOME/etc/system/local/
I re-ran the search, and still getting the same results.
You need to then run your search as:
| makeresults | eval ip="10.170.92.51" | lookup sites_and_description CIDR as ip
because sites_and_description
is the name of your lookup in transforms (which has CIDR funcationality). If you lookup against sites_and_description.csv
, you're not making use of the transform and hitting the CSV directly.