Splunk Search

Mapping IPs to netmask


I got a list of network masks used in our company and would like to map the ip addresses in my logs to these netmasks. All the networks are class C and the list ist in CSV format.

Format:,Administration I,Administration II,Production ES,Production FR

Is there a description on how to get this mapping done?

Do I need to extract a new field matching only the first three parts of the IP? Then adapting the CSV to contain only "xxx.xxx.xxx,description".

Would this be the best way to go?


0 Karma


Simply use your CSV directly as a lookup file and specify in your transforms.conf directive that Splunk should do CIDR matches on the first field. More information here: http://splunk-base.splunk.com/answers/5916/using-cidr-in-a-lookup-table

And here: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf