- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use lookup for CIDR IP addresses?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to lookup corresponding IP Addresses with my lookup table I created. Here is what I am trying to accomplish, my lookup table has 3 columns, Site, CIDR, and Description. When I do a search, I want to do something like this:
| makeresults | eval ip="10.170.92.51" | lookup sites_and_description.csv CIDR as ip
which, I get results that do not show the corresponding CIDR, description, or SiteCode, see below:
Description SiteCode _time ip
1 2018-02-15 10:57:56 10.170.92.51
Please assist, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In transforms.conf:
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is
the default and does not need to be specified. Only fields that should
use WILDCARD or CIDR matching should be specified in this list
So your transforms.conf for this lookup may look like:
[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In transforms.conf:
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is
the default and does not need to be specified. Only fields that should
use WILDCARD or CIDR matching should be specified in this list
So your transforms.conf for this lookup may look like:
[sites_and_description]
filename = sites_and_description.csv
match_type = CIDR(CIDR)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, quick question about your solution.
In a distributed environment where you have a Heavy Forwarder, Indexer, Licence manager/Deployment server, and Search Head, which system(s) would you have to edit the transforms.conf on?
Also, where would the csv containing the lookup data need to be stored? Would I just set it up as a normal data lookup file and would I also need to create a definition for it or is that what the transforms.conf entry effectively does?
Thanks very much in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I got this added in the transforms.conf file located at $SPLUNK_HOME/etc/system/local/
I re-ran the search, and still getting the same results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to then run your search as:
| makeresults | eval ip="10.170.92.51" | lookup sites_and_description CIDR as ip
because sites_and_description is the name of your lookup in transforms (which has CIDR funcationality). If you lookup against sites_and_description.csv, you're not making use of the transform and hitting the CSV directly.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
