Solved: How to read a file and use the data inside in a ev...

langanix · ‎03-14-2017

I am new using Splunk, sorry.
I need to separate a lot of subnets by name. I would like (txt) to read a file kind of:

10.0.1.0/16 NAME1
10.5.0.0/24 NAME2
...

I am using this search now : | eval org=case(cidrmatch("10.118.68.0/23",src),"NAME1", cidrmatch("10.118.103.0/26",src_ip),"NAME2") | stats by org

The question is that I have a lot of subnets and I need to simplify the query, and I wonder if is there any way to read a file in the eval function, using awk or something like that?

Thanks in advance.

somesoni2 · ‎03-14-2017

What you need is to create a lookup table file with all those CIDR and name mapping, create a lookup transform to do cidr match. They you should be able to use lookup command to match and fetch name OR you can setup automatic lookup to get the name automatically. See this link for details.

https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html

View solution in original post

somesoni2 · ‎03-14-2017

What you need is to create a lookup table file with all those CIDR and name mapping, create a lookup transform to do cidr match. They you should be able to use lookup command to match and fetch name OR you can setup automatic lookup to get the name automatically. See this link for details.

https://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html

langanix · ‎03-14-2017

Thank you very much for you answer!

How to read a file and use the data inside in a eval function?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases