Hello Guys!
I have a lookup file with both IP Address and IP ranges
e.g.
ip, threat_key, description
10.10.1.1, spyware, ABC
10.24.0.0/24, Spyware, DEF
when i use this lookup file in my query based on src_ip it matches CIDR block and normal IP, however when i try to add the fields threat_key and description to the search result.
when i don't add a lookup setting in transforms.conf
the search results show fields threat_key and description for exact match of IP address i.e. for the 1st event threat_key and description are displayed.
When i use match_type=CIDR(ip) in transforms.conf for the lookupi am using, the threat_key and description fields for IP ranges are displayed.
I need threat_key and description to be displayed for both the scenarios.
here is my Search Query :
Firewall
| search [inputlookup ip_intel | rename ip as src_ip|fields src_ip] | lookup ip_intel ip as src_ip OUTPUT threat_key, description
transforms.conf
[ip_intel]
filenae=ip_intel
match_type=CiDR(ip)
this works to get OUTPUT fields threat_key and description for CIDR match of src_ip .
however it doesn't match exact IP OUTPUT Fields
Thanks for you help
You need to modify your single IP values in the lookup by appending a /32, i.e. in your case it should be 10.10.1.1/32.