- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup table question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup table question
Hi, i have a lookup table where i have the below values
My questions are:
When i specify CIDR block would it work? or do i need to specify each ip?
we have set of internal ips which you can see in the below table. I have specified .* in the IPs. For example 10.*.Would it consider all the ips that start with 10.
is it possible to specify a NOT logic? meaning NOT all the internal requests as external. so it would be ^10.*
WhitelistIPs clientip
Company XXX 63.122.163.0/27
Company YYYY 63.158.163.8
Company YYYY 64.274.165.6
Company YYYY 38.172.74.18
Company YYYY 12.298.108.202
Company YYYY 67.247.113.226
Company ZZZZ 74.189.118.39
Company ZZZZ 74.129.118.40
Internal 10.*
Internal 167.115.*
Internal 192.168.*
Internal 63.85.20.233
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use cidrmatch("65.222.163.0/27",clientip) for exact matches. For something which starts with 10, you can use match(). Example : match(Internal, "10.\d{1,3}.\d{1,3}.\d{1,3}")
You can use NOT logic too.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yup that's right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can't both have wildcard matching and cidr - it has to be one of them (and you need to specify that in transforms.conf)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will depend. I guess you would need to set up your loookup in a way that it can give the clientip as output along with WhitelistIps. So for clientip as Input, both Clientip and WhitelistIp's need to be output. Then you can use the above functions and play around.
Do accept the answer if it works for you. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you !!!. But all of this i can use in the Lookup spreadsheet?
where clientip is the input filed and WhitelistIPs is the output field..
so the data would be like this?
WhitelistIPs clientip
Company XXX cidrmatch("65.222.163.0/27",clientip)
Company YYYY 63.158.163.8
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
