If your IP ranges are defined as CIDR ranges then you can make a lookup using the IP range as a CIDR lookup field and then you can give a lookup for an IP address and it will return location.
See the lookup documentation
https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Lookup
How is iprange defined?
|inputlookup demo.csv
| eval ip = "xx.xxx.xxx.xxx" ```Enter IP address you the Match```
| eval result=if(cidrmatch(ip_range, ip), "true", "false")
| search result="true"
i am using above spl to return result for the ip address associated with the IP range in lookup table. this work fine.
I want do same thing when index=main has field ip which contains IP address. I need to invoke cidrmatch out result assiate with same iprange. how do modifiy my SPL. SINCE lookup table and my index info has nothing in common other than Ip field i have and lookup table has ip tange info. Is there way i can use lookup cammand do this?
Thanks
Yes, you need to make a lookup DEFINITION based on the lookup file. In the advanced options for the definition add CIDR(ip_range)
In your SPL you do
index=main
| lookup definition_name ip_range as ip OUTPUT ip_range as found
then you will have the found field as your range if the IP is found or null if not found
so you can do this
| where isnotnull(found)
which will find those that match the range.