product
- Why choose Splunk
- Installation record
- price
- Splunk Enterprise Security
- Splunk Phantom (SOAR)
- Splunk ITSI (Next Generation IT Operations)
- Splunk Observability Cloud
- Splunk UBA
- Macnica CSIRT App Basic
- App for Splunk for Financial Institutions
- Splunk Analytics for Hadoop
- About Apps
- Splunk Edge Hub
- What is Splunk
service
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How to CIDR match in Lookup table
- release date
- 2016-10-11
- last updated
- 2023-12-01
- version
- Splunk Enterprise 9.0.4
- Overview
- How to CIDR match in Lookup table
- Reference information
- content
-
CIDR matching method using lookup table
$SPLUNK_HOME/etc/apps/
You can search using CIDR match by setting the following in /local/transforms.conf. [<Lookup定義名>]
match_type = CIDR(Lookupフィールド名)・About the path of $SPLUNK_HOME in the procedure
$SPLUNK_HOME in the instructions is the Splunk installation directory.
By default it is as follows.---------
Linux : /opt/splunk
Windows : C:\Program Files\Splunk
---------【Setting Example】
- Create a lookup table.
Example) ipam.csv
---------
src_ip,Dept
10.8.1.0/18,Dept1
10.17.101.0/16,Dept2
---------*Save with character code UTF-8 (no BOM).
*Upload the file from Splunk's web screen Settings > Lookup > Lookup Table File.
Or place it in $SPLUNK_HOME/etc/apps/<app_name>/lookups/.
(When used in Search & Report, <app_name> will be search.)- Make a lookup definition.
Directly edit the $SPLUNK_HOME/etc/apps/<app_name>/local/transforms.conf file (create a new one if it does not exist) and set the following.
Example) transforms.conf
---------
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
---------*For filename, specify the name of the placed file.
*For details on the transforms.conf file lookup table, please see below.
https://docs.splunk.com/Documentation/Splunk/9.0.4/Admin/Transformsconf#Lookup_tables- Optionally, configure automatic lookup settings. (not required)
Example) props.conf
---------
[my_sourcetype]
#既存設定の下に下記を追加
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
---------*When setting, use Splunk's web screen Settings > Lookup > Auto Lookup, or directly edit the $SPLUNK_HOME/etc/apps/<app_name>/local/props.conf file as shown above. , add the automatic lookup settings below the existing settings. (The above definition is for when the field name in the event and the field name in the lookup table are the same)
that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Weekdays: 9:00-17:00
