I want to add AS number
to ip by using some geo data.
This data has column AS number
and network
like below.
AS_number,network
xxxxx,10.0.0.0/24
I uploaded this data as lookup, and configured lookup definitions with CIDR(network)
.
Then I tried some ip addresses like below, but it didn't work.
| makeresults count=2
| streamstats count as c
| eval network=if(c=1,"2001:4860:4860::8844","216.58.197.131")
| lookup Geo_AS_Lookup network OUTPUT
So I extracted only the lines with the following two networks matching the test addresses, and created a lookup table and lookup definition newly.
AS_number,network
xxxxx,2001:4860:4840::/42
yyyyy,216.58.192.0/19
Then it began to match well.
I wonder is there result limit of lookup?(* Because this lookup has about 440000 rows.)
If someone knows about it, please tell me.
Apparently the size is more concerned than the number of rows.
I made two pieces of data as below and found that the size of less than 10 MB matched well.
sample_geo.csv 27MB (500000 rows with 3 columns)
sample_geo_2.csv 8.95MB (500000 rows with 2 columns)
このリンクは見ましたか?max_memtable_bytesについての記述があります。
https://answers.splunk.com/answers/8228/lookup-table-limits.html
このリンクは見ましたか?max_memtable_bytesについての記述があります。
https://answers.splunk.com/answers/8228/lookup-table-limits.html
limits.confに以下の設定をしたら、うまく動きました。
[lookup]
max_memtable_bytes = 20000000
仕様なんですかね…。