I use a lookup file for matching a TCP or UDP port and an application. Is it possible to specify a port range instead of a single port? If so, what is the syntax to do this?
An exemple:
dest_port | application
53 | dns
80 | http
5000-5010| application1
Lookups are exact string matches so putting a range in the lookup file won't work.
By default they are exact matches, but you could use a wildcard lookup like in @Ayn 's answer here http://answers.splunk.com/answers/52580/can-we-use-wild-characters-in-lookup-table.html
So using a csv file like this
dest_port | application
500* | application1
should work for port ranging from 5000-5009
Thank you for your help. Does this apply to ports above 50000 to 50099?
You need to test it; but I assume it does