- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: need help with UI based lookup wildcard/CIDR
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently noticed that the UI for lookup definitions now has an advanced checkbox. If I select that I get the option to set match_type, which is described as
Match type
Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is (). Available values for match_type are WILDCARD and CIDR.
so I added a wildard match for my lookup field IP to my lookup definition for tools:
match_type=WILDCARD (IP)
(note, I tried CIDR, too, with similar results)
and in the lookup file tools.csv, I had an entry with a *
IP: 10.10.35.*
Tool: Splunk
but when try to use it, I do not get a match:
|makeresults |eval IP="10.10.35.9" | lookup tools IP
This did not return the Tool field, although if I pass it a matching string it does:
|makeresults |eval IP="10.10.35.*" | lookup tools IP
gets me back tool=Splunk
is there something that I am misunderstanding about the UI based lookup wildcard? Something else that I should be doing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should be WILDCARD(IP), not WILDCARD (IP). It should also be:
IP,Tool
Splunk,10.10.35.*
Not:
IP: 10.10.35.*
Tool: Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It should be WILDCARD(IP), not WILDCARD (IP). It should also be:
IP,Tool
Splunk,10.10.35.*
Not:
IP: 10.10.35.*
Tool: Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried
match_type=WILDCARD(IP)
with the same results. Waited an hour as well, but still same results.
sorry on the csv. I should have written that correctly. Since it was just a lookup table, the data was actually stored correctly as
IP,Tool
Splunk,10.10.35.*
Also tried
Tried
match_type=WILDCARD(IP)
and changing the lookup table to
IP,Tool
Splunk,10.10.35.0/24
with the same results --no lookup match
although
|makeresults |eval IP="10.10.35.0/24" | lookup tools IP
does return a Tool value of Splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For now I cheated and re-evaluated the query IP to match the lookup.
First checks the lookup for a full IP match, and then checks for a match on the final octet "wildcarded".
|makeresults |eval IP="10.10.35.9"
| lookup tools IP
| eval IP3=IP
| rex mode=sed field=IP3 "s/(?<IP3>\d{1,3}\.\d{1,3}\.\d{1,3}+\.)\d{1,3}/\1*/g"
| lookup tools IP as IP3 OUTPUTNEW
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. Learned where I went wrong on this one.
I actually entered
match_type=WILDCARD(IP)
into the UI.
I actually only needed to enter
WILDCARD(IP)
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
