Splunk Search

How to use lookup for CIDR IP addresses?

New Member

Hello,

I am trying to lookup corresponding IP Addresses with my lookup table I created. Here is what I am trying to accomplish, my lookup table has 3 columns, Site, CIDR, and Description. When I do a search, I want to do something like this:

| makeresults | eval ip="10.170.92.51" | lookup sites_and_description.csv CIDR as ip

which, I get results that do not show the corresponding CIDR, description, or SiteCode, see below:

Description SiteCode    _time                      ip
1                       2018-02-15 10:57:56 10.170.92.51

Please assist, thanks!

0 Karma
1 Solution

Champion

In transforms.conf:

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is
  the default and does not need to be specified.  Only fields that should
  use WILDCARD or CIDR matching should be specified in this list

So your transforms.conf for this lookup may look like:

[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)

View solution in original post

Champion

In transforms.conf:

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is
  the default and does not need to be specified.  Only fields that should
  use WILDCARD or CIDR matching should be specified in this list

So your transforms.conf for this lookup may look like:

[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)

View solution in original post

Path Finder

Hi, quick question about your solution.

In a distributed environment where you have a Heavy Forwarder, Indexer, Licence manager/Deployment server, and Search Head, which system(s) would you have to edit the transforms.conf on?

Also, where would the csv containing the lookup data need to be stored? Would I just set it up as a normal data lookup file and would I also need to create a definition for it or is that what the transforms.conf entry effectively does?

Thanks very much in advance.

0 Karma

New Member

So I got this added in the transforms.conf file located at $SPLUNK_HOME/etc/system/local/

I re-ran the search, and still getting the same results.

0 Karma

Champion

You need to then run your search as:

| makeresults | eval ip="10.170.92.51" | lookup sites_and_description CIDR as ip

because sites_and_description is the name of your lookup in transforms (which has CIDR funcationality). If you lookup against sites_and_description.csv, you're not making use of the transform and hitting the CSV directly.

0 Karma