Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup with CIDR

ccsfdave
Builder
‎07-02-2013 09:23 AM

Greetings,

I feel like this shouldn't be rocket science,but I just can't make it work.

Our internal network is pretty complicated with IPs assigned to departments in pretty granular form. I would like to do the hard work ahead of time and put our IPAM (IP Address Management) into a lookup table. I am trying on a very small sample first to get it working then will add the rest.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[ipam]
LOOKUP-ipam = ipam Dept OUTPUTNEW Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

So if I do a search of 10.17.10*.* I would like to get a new Department field created with the value of Rec and Park assigned to it.

Thanks.

Dave

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ccsfdave
Builder
‎07-03-2013 07:31 AM

So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.

The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

View solution in original post

Reply
Solved! Jump to solution
Solution

ccsfdave
Builder
‎07-03-2013 07:31 AM

So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.

The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

ipam.csv

src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name

Reply
Solved! Jump to solution

ccsfdave
Builder
‎07-03-2013 11:34 AM

MHibbin,

So do I need the same stanza for each source type in props.conf?

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎07-03-2013 08:57 AM

I completely overlooked that!

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎07-02-2013 09:38 AM

Your lookup should probably be something like:

[ipam]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

I've note tested/tried this as I normally don't use the automatic lookups (for some reason).

Reply
Solved! Jump to solution

MHibbin
Influencer
‎07-03-2013 02:46 AM

@ccsfdave, Hmmm... try changing the src_ip field in your lookup to srcip, and then change it in you transforms.conf. Then change the props.conf to the following:

LOOKUP-ipam = ipam srcip AS src_ip OUTPUTNEW Dept AS Department

0 Karma
Reply
Solved! Jump to solution

ccsfdave
Builder
‎07-02-2013 09:43 AM

Hmm, I get:

[DT-SPLK-Idx] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'ipam' and lookup table 'ipam'.

After cutting and pasting your suggestion above. 😞 Thanks though!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...