Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to create a data model lookup attribute that is based on a CSV file that contains a name column and a CIDR column?

yacht_rock
Explorer
‎03-16-2017 03:09 PM

Is it possible to create a data model lookup attribute that is based on a CSV file that contains a name column and a CIDR column?

Example file

environment, cidr
foo, 123.123.123/24
bar, 321.321.321/24

So I can match a source IP or a destination IP against the CIDR to get the "environment" name? Creating two fields like source_environment and destination_environment

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-16-2017 04:33 PM

Lookups are defined in transforms.conf. This is an example of the configuration that you need.

transforms.conf

[mylookup]
filename = ../lookups/thefilename.csv
max_matches = 1
min_matches = 1
default_match = Unknown
match_type = CIDR

And the search could be

yoursearchhere
| lookup mylookup dest_IP as cidr OUTPUT environment as destination_environment
| lookup mylookup source_IP as cidr OUTPUT environment as source_environment

HTH!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-16-2017 04:33 PM

Lookups are defined in transforms.conf. This is an example of the configuration that you need.

transforms.conf

[mylookup]
filename = ../lookups/thefilename.csv
max_matches = 1
min_matches = 1
default_match = Unknown
match_type = CIDR

And the search could be

yoursearchhere
| lookup mylookup dest_IP as cidr OUTPUT environment as destination_environment
| lookup mylookup source_IP as cidr OUTPUT environment as source_environment

HTH!

0 Karma
Reply
Get Updates on the Splunk Community!

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...