While lookup is probably the best way, I feel there are other ways to conduct this if IP ranges do not change. I do a similar thing for my home network to pick up if my son gets on Roblox when he should be doing schoolwork and I don't use a lookup table for it. Instead I do something like this for quick evaluations: ...your_input
| lookup dnslookup your_IP_Field
| eval clienthost=case(cidrmatch("10.0.0.0/8", roblox), cidrmatch("172.168.0.0/16", Microsoft)) Splunk comes with the dnslookup automatically to query known DNS resolutions. Its not perfect but things like Microsoft and Amazon would resolve. It returns a clienthost field which I further eval to match things I know based on research. I simply keep adding cases everytime I find something new. If you need them combined with IP later as one field (i.e. Microsoft: dest 172.0.01 source 10.0.0.1), do it with eval or strcat.
... View more