- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is my CIDR lookup search returning no results ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks... I realize every conceivable permutation of this question has already been asked and answered - I've sure looked through them all, but I just can't seem to get CIDR match in a lookup to work.
Use case: huge LAN address space with upwards of 800 subnets, managed by multiple frontline IT teams. Need a way of pinning down the subnet for a host so delegation of issues becomes more straightforward than a manual IPAM search.
I have a lookup csv, VLAN_Lookup.csv, sitting in $SPLUNK_HOME/etc/apps/search/lookups. Format is,
Subnet,Site_ID,Department_ID,Building_ID,VLAN_Name,Utilisation
123.234.0.0/24,Sxyz,Dxyz,Bxyz,Name_of_VLAN_X,wx.yz%
...
/* The "Utilisation" field is important to us because we're forever running out of addresses */
The current stanza in transforms.conf (I've tried a couple of others, all with the same outcome) is,
[VLAN_Lookup]
filename = VLAN_Lookup.csv
match_type = CIDR(Subnet)
max_matches = 1
fields_list = Subnet,Site_ID,Department_ID,Building_ID,VLAN_Name,Utilisation
Running | inputlookup VLAN_Lookup | table Subnet Site_ID Department_ID Building_ID VLAN_Name Utilisation in Splunkweb pulls the information out of the csv file without a problem (indicating the lookup definition is fine), but trying to run a search like
sourcetype=blah client_ip=* | lookup VLAN_Lookup Subnet AS client_ip OUTPUT VLAN_Name AS VLAN_Name
| table client_ip VLAN_Name
results in the VLAN_Name - or whatever other field from the lookup table I pick always coming up blank.
What am I missing? 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK; false alarm, sort of... turns out "If at first you don't succeed, try, try again" applied to Splunk restarts in this eventuality.
(we run a distributed environment, with two search heads, and a common set of config files in a mounted remote directory; both search heads had to be restarted for the changes in transforms.conf to get picked up, rather than just the one I was running searches on...)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK; false alarm, sort of... turns out "If at first you don't succeed, try, try again" applied to Splunk restarts in this eventuality.
(we run a distributed environment, with two search heads, and a common set of config files in a mounted remote directory; both search heads had to be restarted for the changes in transforms.conf to get picked up, rather than just the one I was running searches on...)
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
