- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup with CIDR
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
I feel like this shouldn't be rocket science,but I just can't make it work.
Our internal network is pretty complicated with IPs assigned to departments in pretty granular form. I would like to do the hard work ahead of time and put our IPAM (IP Address Management) into a lookup table. I am trying on a very small sample first to get it working then will add the rest.
transforms.conf
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
props.conf
[ipam]
LOOKUP-ipam = ipam Dept OUTPUTNEW Department
ipam.csv
src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name
So if I do a search of 10.17.10*.* I would like to get a new Department field created with the value of Rec and Park assigned to it.
Thanks.
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.
The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.
transforms.conf
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
props.conf
[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
ipam.csv
src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am half way there, I will actually open a separate answer for the next issue because it is not directly related to making the lookup work.
The issue here was that in the props, the bracketed words are a sourcetype. The documentation was either missing this detail or I skimmed over it. Hopefully this post will help someone else.
transforms.conf
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
props.conf
[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
ipam.csv
src_ip,Dept
10.17.101.0/16,Some_Dept_Name
10.17.102.0/15,Some_Dept_Name
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MHibbin,
So do I need the same stanza for each source type in props.conf?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I completely overlooked that!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your lookup should probably be something like:
[ipam]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
I've note tested/tried this as I normally don't use the automatic lookups (for some reason).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ccsfdave, Hmmm... try changing the src_ip field in your lookup to srcip, and then change it in you transforms.conf. Then change the props.conf to the following:
LOOKUP-ipam = ipam srcip AS src_ip OUTPUTNEW Dept AS Department
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, I get:
[DT-SPLK-Idx] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'ipam' and lookup table 'ipam'.
After cutting and pasting your suggestion above. 😞 Thanks though!
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
