Splunk Search

Mapping IPs to netmask

Contributor

I got a list of network masks used in our company and would like to map the ip addresses in my logs to these netmasks. All the networks are class C and the list ist in CSV format.


Format:

10.30.4.0/24,Administration I

10.30.5.0/24,Administration II

10.71.30.0/24,Production ES

10.71.31.0/24,Production FR

Is there a description on how to get this mapping done?


Do I need to extract a new field matching only the first three parts of the IP? Then adapting the CSV to contain only "xxx.xxx.xxx,description".

Would this be the best way to go?



Thanks

0 Karma

Legend

Simply use your CSV directly as a lookup file and specify in your transforms.conf directive that Splunk should do CIDR matches on the first field. More information here: http://splunk-base.splunk.com/answers/5916/using-cidr-in-a-lookup-table

And here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf