- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- subnet information
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have subnet lookup in cidr notation. so i am trying to print subnet detail with dest ip but not getting result.
query:-
index=xyz | stats count by dest | lookup subnet.csv subnet as dest output subnet as subnets
I have no any transformation stanza right now so let me know if any other staza require to compute this or any other way.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, either in the web gui or in transforms.conf (which is where the web will write it), you need to specify the match type for that field.
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Transformsconf#Lookup_tables
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. Only fields
that should use WILDCARD or CIDR matching should be specified in this list.
* Default: EXACT
So probably something like this in transforms:
[subnet]
filename = subnet.csv
match_type = CIDR(subnet)
And if you want the lookup to happen automatically, that would be in props.conf (but also in the web).
So the simple lookup is in the lookups directory. The table definition (case sensitivity, wildcards, max matches, etc) is defined in transforms. And automatically running the lookup command for host/source/sourcetype is done in props.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, either in the web gui or in transforms.conf (which is where the web will write it), you need to specify the match type for that field.
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Transformsconf#Lookup_tables
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. Only fields
that should use WILDCARD or CIDR matching should be specified in this list.
* Default: EXACT
So probably something like this in transforms:
[subnet]
filename = subnet.csv
match_type = CIDR(subnet)
And if you want the lookup to happen automatically, that would be in props.conf (but also in the web).
So the simple lookup is in the lookups directory. The table definition (case sensitivity, wildcards, max matches, etc) is defined in transforms. And automatically running the lookup command for host/source/sourcetype is done in props.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @maciep
Also, I am not aware about connectivity between props.conf and automatic lookup. Thanks for sharing.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
