1. a) Should I add /128 on all IPv6 on my CSV file to get this to work? b) If yes, does it mean I need to put extra layer to check which one is IPv6 or IPv4 and then append /128? IPv4 is ...
See more...
1. a) Should I add /128 on all IPv6 on my CSV file to get this to work? b) If yes, does it mean I need to put extra layer to check which one is IPv6 or IPv4 and then append /128? IPv4 is 32-bit, IPv6 is 128-bit. This means that if your CVS only contains host addresses, you need to use /128 with all IPv6 entries and /32 with all IPv4 entries. 2. Will OUPUTNEW work just fine as regular lookup? 3. a) If I update CSV file (with new fields), will the definition lookup still work? CIDR(ip) does not change any other aspect of lookup. 3. b) Is there a way to automate update on the definition lookup? I plan on creating automatic update on CSV, but it looks like the definition ties on specific field. Not sure what you mean by automation. If you mean in the background with some external utilities, certainly. Once lookup is defined, all you need to do is to update the file. (In distributed deployment, however, you do need to take care to update every search head.) In Splunk, you can take a look at outputlookup. You can use a Splunk search to update an existing lookup (even create a new one). 4. Note that if I use /120, it could return multiple result like the following: expected ip test mask 2 test mask 4 test mask 6 2001:db8:3333:4444:5555:6666::2101 That is precisely what netmask does. (Using CIDR for host address is just a special, and less common use case.) You can read about IP address spaces, subnet, and CIDR in a variety of online resources.