| set union [search index=*_place_holder sourcetype=placeholder | fields src_ip | where src_ip!="N/A"| rename src_ip as c_ip |fields c_ip ] [searchindex=*_place_holder sourcetype=placeholder | fields dest_ip |where dest_ip!="N/A"|rename dest_ip as c_ip|fields c_ip ] | table c_ip |dedup c_ip|lookup lookupfile.csv SUBNET as c_ip OUTPUT SUBNET_NAME
That's the search I have so far. It does combine the two fields src_ip and dest_ip in to c_ip successfully. But now I need to find a way to compare c_ip with the SUBNET field in lookupfile.csv. Matching the first 3 octets would be the best way for me, but i'm not sure how to go about this. Also, how would I modify the search so the results show Matches and Non-Matches a two separate fields?
... View more