index=* | stats count by source_ip,dest_port
I got my results against Source_ip,dest_port.Now i want to rename the IP's belonging to specific subnets to some specific name.
Is it possible ?
Sure.
Probably the easiest way is to put the IP subnet to name mapping in a lookup table, and then add a lookup command to your current search to map the IP address to a name. Lookups support a match_type=CIDR
to enable lookups from IP to subnet.
Sure.
Probably the easiest way is to put the IP subnet to name mapping in a lookup table, and then add a lookup command to your current search to map the IP address to a name. Lookups support a match_type=CIDR
to enable lookups from IP to subnet.