Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to create a data model lookup attribute that is based on a CSV file that contains a name column and a CIDR column?

yacht_rock
Explorer
‎03-16-2017 03:09 PM

Is it possible to create a data model lookup attribute that is based on a CSV file that contains a name column and a CIDR column?

Example file

environment, cidr
foo, 123.123.123/24
bar, 321.321.321/24

So I can match a source IP or a destination IP against the CIDR to get the "environment" name? Creating two fields like source_environment and destination_environment

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-16-2017 04:33 PM

Lookups are defined in transforms.conf. This is an example of the configuration that you need.

transforms.conf

[mylookup]
filename = ../lookups/thefilename.csv
max_matches = 1
min_matches = 1
default_match = Unknown
match_type = CIDR

And the search could be

yoursearchhere
| lookup mylookup dest_IP as cidr OUTPUT environment as destination_environment
| lookup mylookup source_IP as cidr OUTPUT environment as source_environment

HTH!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-16-2017 04:33 PM

Lookups are defined in transforms.conf. This is an example of the configuration that you need.

transforms.conf

[mylookup]
filename = ../lookups/thefilename.csv
max_matches = 1
min_matches = 1
default_match = Unknown
match_type = CIDR

And the search could be

yoursearchhere
| lookup mylookup dest_IP as cidr OUTPUT environment as destination_environment
| lookup mylookup source_IP as cidr OUTPUT environment as source_environment

HTH!

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...