I'm trying to write a search for an asset lookup that I'm able to query to take a list of IPs and bring back the corresponding CIDR range and a criticality and then table them.
Example: One lookup table (assets) - host, ip
HOSTNAME IP
HOST123 10.10.3.5
Another lookup table: (network_hierarchy) - CIDR, criticality
CIDR Criticality
10.10.3.0/24 Critical
Ideally when we run the LDAP search that populates our host/ip list - I'd like to be able to use the IP to search the other lookup based on CIDR range and then return that result along with the criticality field back to the original table - ultimately getting one table with host, ip, CIDR, criticality - I just don't know how to make it function in order to have Splunk's logic match IP to it's CIDR range and then bring everything back into one lookup table.
Any help would be much appreciated!!
Probably this might help you . You can mention match_type as CIDR(cidr_range)
https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
From the transforms.conf
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT. EXACT is
the default and does not need to be specified. Only fields that should
use WILDCARD or CIDR matching should be specified in this list