Hi,
i try to find the correct way to query a lookup file based on a where clause with CIDRMATCH.
I have the following scenario:
We have a lookup table that contains a mapping between our customers and IP Address ranges that are assigned to them. So, the lookup table looks like the following example:
CusomterName Prefix
Customer A 10.1.1.0/24
Customer B 172.16.42.0/16
Customer C 192.168.1.0/24
Additionally, we have sFlow Data that contains explicit IP Addresses as source and destination information. We would like to add a field to each event that holds the CustomerName based on a cidrmatch query of the source or dest IP Address.
I can query the lookup table with cidrmatch to get the required information with the following query:
| inputlookup tenants.csv
| where (cidrmatch(myprefix,"10.66.148.3"))
| fields customer
| dedup customer
And I can query the sFlow Data to show the Connections information that comes from the sFlow Data, but I didn’t find a way to combine these two queries to get the result I want.
For example, I tried it with eval and inputlookup:
source="stream:sflow" | eval Customer=[| inputlookup tenants.csv | where (cidrmatch(myprefix,dest_ip)) | fields customer ]
Maybe someone can give me a hint how this should or can work!
Thanks in advance
Stefan
... View more