I have a KV store based lookup for Port Address Translation. Given the first 3 octets of a public facing IP and a port, I need to lookup the first 3 octets of the private address from this lookup...
See more...
I have a KV store based lookup for Port Address Translation. Given the first 3 octets of a public facing IP and a port, I need to lookup the first 3 octets of the private address from this lookup.
The lookup contains the first 3 octets of the public IP, the first 3 octets of the private IP, the maximum port for that private IP and the minimum port for that private subnet range.
Starting with a public_address of 123.45.67.8, port 1042 something like this works: | inputlookup PAT_translation_table where public_address="123.45.67" lower_port<="1042" upper_port>="1042" It returns the field private_address with a value like 10.1.2 and then I append on the .8 to get the internal IP. I need to be able to do this with multiple results from other searches, however. Something like this: <initial search results that include src_ip and src_port> | rex field=src_ip "(?<first3octets>\d{1,3}\.\d{1,3}\.\d{1,3})(?<lastoctet>\.\d{1,3}) | inputlookup PAT_translation_table append=true where 'public_address'=first3octets 'lower_port'<=src_port 'upper_port'>=src_port
In this example, inputlookup returns nothing. If I just use the lookup command, I can't use greater than or less than so it returns all the values as an mvfield for private_address, an mvfield for upper_port, and a separate mvfield for lower_port. How would I query that?! Do any of you have any suggestions how I can do this?