Hello,
I am trying to do a firewall search for all src ips and match those ips to a subnet range that is in a lookup table. The final ouput would be a table that shows src_ip, the subnet location and count.
search:
| stats count by src_ip | lookup networks.csv lookup_ip OUTPUT subnet_desc | table src_ip,subnet_desc,count | sort 20 -num("count")
networks.csv
lookup_ip,subnet_loc
10.0.0.0\24,home
10.0.1.0\24,office
Current Final Output:
src_ip ,subnet location, count
10.0.0.15,,5
10.0.1.20,,4
Intended final output:
src_ip ,subnet location, count
10.0.0.15,home,5
10.0.1.20,office,4
... View more