- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Problems with cidrmatch and lookup from csv (even ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problems with cidrmatch and lookup from csv (even after transforms.conf edited)
I've read other questions on this topic and I am afraid I'm just stuck.
I have a csv named "subnets_cidrmatch" with fields subnet, country (~250 entries in this spreadsheet).
I have another csv named "spreadsheet" with a field clientip (~48k entries in this spreadsheet).
1. I have edited transforms.conf with the configuration below
[subnets_cidrmatch]
filename = subnets_cidrmatch.csv
default_match = NONE
match_type = CIDR(subnet)
2. The following query doesnt work (for some reason)
| inputlookup spreadsheet.csv
| lookup subnets_cidrmatch subnet AS clientip OUTPUT country as clientip_location
| table clientip subnet clientip_location
3. None of the fields match on the country (or the OUTPUT field *clientip_location)*
Any idea what could be going on here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure the column subnet in your lookup is in CIDR format like 10.0.0.0/8 format.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is in the correct CIDR format--the issue is the support for the match_type=CIDR between SE v6.5 and SE v7.x. Somewhere between these two versions the match_type=CIDR is fully supported.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever get this resolved? I seem to be having the same issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok everyone, it seems that this is some sort of versioning issue--I downloaded free Splunk and installed it locally, added both lookup tables (and definitions) and this worked without problem.
So, in production Im running Splunk Enterprise v6.5. Match_type = CIDR doesn't work somewhere between version 6.5 and 7.x.
Note: on version 6.5 the cidrmatch function works inside an eval function, but not as a match type itself. Its weird.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
