I have an external lookup script that works mostly fine. Given an IP address from an event, it can match the address to a CIDR formatted allocation, showing me what organization the IP belongs to.
Some systems have more than one IP address, and Splunk doesn't seem to want to lookup both IPs, it usually looks up the first, assigns an organization, and then seems to ignore the second. But I need both organization names. An event like:
2011-11-10 09:38:55,blah,cat,dog,"192.168.0.2, 192.168.5.2",foo,bar
Comes back with "org=SectionA" based on the 0.2 address, but what about 5.2? How do I get Splunk to keep looking?
... View more