I'm looking at firewall logs which typically have (among other details) a source address and a destination address. I'm attempting to use a lookup table to determine the organizational group that each IP belongs to. The lookup table is a fairly basic format:
Subnet,OrgGroup
192.168.0.0/24,Group1
192.168.1.0/24,Group2
This was how I was originally going to do it:
sourcetype=cisco:asa | lookup ip_to_group Subnet AS src_ip OUTPUT OrgGroup as src_group | lookup ip_to_group Subnet AS dest_ip OUTPUT OrgGroup as dest_group
This gives me: src_group=Group1, dest_group=Group2
For business reasons, we don't want to have two output fields (src_group, dest_group) but one ("org_group"):
sourcetype=cisco:asa | lookup ip_to_group Subnet AS src_ip OUTPUT OrgGroup as org_group | lookup ip_to_group Subnet AS dest_ip OUTPUT OrgGroup as org_group
How would I blend those lookups into both using "org_group" without overwriting? e.g. org_group=Group1,Group2
... View more