Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

Is it possible to create a data model lookup attribute that is based on a CSV file that contains a name column and a CIDR column?

yacht_rock
Explorer
‎03-16-2017 03:09 PM

Is it possible to create a data model lookup attribute that is based on a CSV file that contains a name column and a CIDR column?

Example file

environment, cidr
foo, 123.123.123/24
bar, 321.321.321/24

So I can match a source IP or a destination IP against the CIDR to get the "environment" name? Creating two fields like sourceenvironment and destinationenvironment

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: Is it possible to create a data model lookup attribute that is based on a CSV file that contains a name column and a CIDR column?

lguinn2
Legend
‎03-16-2017 04:33 PM

Lookups are defined in transforms.conf. This is an example of the configuration that you need.

transforms.conf

[mylookup]
filename = ../lookups/thefilename.csv
max_matches = 1
min_matches = 1
default_match = Unknown
match_type = CIDR

And the search could be

yoursearchhere
| lookup mylookup dest_IP as cidr OUTPUT environment as destination_environment
| lookup mylookup source_IP as cidr OUTPUT environment as source_environment

HTH!

View solution in original post

0 Karma
Reply