Hey Guys,
I am still figuring out the lookup feature. I have checked the previous question but couldnt get a way out.
I wanted to do something similar as described here:
http://splunk-base.splunk.com/answers/57094/join-ip-with-a-subnet
Note: I have configured lookup with GUI way, no editing of any .conf file done yet.
No Advanced options set in definitions.
Scenario: I have a CSV file (subnet-lookup.csv) with list of subnets and appropriate identifier name.
e.g.
Subnet,Name
10.1.1.0/24,ABC
10.1.2.0/24,PQR
10.1.3.0/24,XYZ
Uploaded to Splunk , configured definitions and autolookup with lookuptable name subnet-tagged
Query: |inputlookup subnet-tagged is showing the csv results successfully in splunk.
so below are my queries:
1. Will the subnet field in csv can be matched with any IP field of the logs by default or i have to configure something additional so as to match the CIDR subnet in csv file?
2. What do i need to specify in autolookup ,if i want to use same lookup across all my indexes and why index is not available in dropdown ?
3. When i am trying to run query like
sourcetype=foo ip=* | lookup subnet-tagged ip OUTPUT Name | table ip Subnet Name
It is loading all the results with Subnet Name as blank whereas expected are only the IP matching the subnet range in csv file with respective Name.
let me know if i am not clear at any steps and how shall i move forward to get this working.
Thanks in advance.
... View more
