product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to CIDR match in Lookup table
- release date
- 2016-10-11
- last updated
- 2023-12-01
- version
- Splunk Enterprise 9.0.4
- Overview
- How to CIDR match in Lookup table
- Reference information
- content
-
CIDR matching method using lookup table
$SPLUNK_HOME/etc/apps/
You can search using CIDR match by setting the following in /local/transforms.conf. [<Lookup定義名>]
match_type = CIDR(Lookupフィールド名)・About the path of $SPLUNK_HOME in the procedure
$SPLUNK_HOME in the instructions is the Splunk installation directory.
By default it is as follows.---------
Linux : /opt/splunk
Windows : C:\Program Files\Splunk
---------【Setting Example】
- Create a lookup table.
Example) ipam.csv
---------
src_ip,Dept
10.8.1.0/18,Dept1
10.17.101.0/16,Dept2
---------*Save with character code UTF-8 (no BOM).
*Upload the file from Splunk's web screen Settings > Lookup > Lookup Table File.
Or place it in $SPLUNK_HOME/etc/apps/<app_name>/lookups/.
(When used in Search & Report, <app_name> will be search.)- Make a lookup definition.
Directly edit the $SPLUNK_HOME/etc/apps/<app_name>/local/transforms.conf file (create a new one if it does not exist) and set the following.
Example) transforms.conf
---------
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
---------*For filename, specify the name of the placed file.
*For details on the transforms.conf file lookup table, please see below.
https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Transformsconf#Lookup_tables- Optionally, configure automatic lookup settings. (not required)
Example) props.conf
---------
[my_sourcetype]
#既存設定の下に下記を追加
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
---------*When setting, use Splunk's web screen Settings > Lookup > Auto Lookup, or directly edit the $SPLUNK_HOME/etc/apps/<app_name>/local/props.conf file as shown above. , add the automatic lookup settings below the existing settings. (The above definition is for when the field name in the event and the field name in the lookup table are the same)
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30