Hi
Apologies in advance if there already is a similar question/answer (I couldn't find it)
Is there a way of setting tag::host (or some other tag, e.g. tag::client) based on a host search using cidr notation? I'd like to avoid using a lookup table specifying host per line (unless I can use cidr)
Thanks
You can use eventtypes for this. Eventtypes are fundamentally tags on events defined by a search. Create an eventtype with your CIDR criteria on the field as its search and your events will be tagged appropriately in the "eventtype" field.
You can use a scripted lookup - take a look at this thread for more detail:
http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table