Hey Splunk, long time lurker, first time poster.
I am attempting to perform an automatic CIDR lookup from a CSV file on a specific sourcetype. I can manually perform the lookup and get data back, but can't figure out what is wrong with my props.conf configuration for automatic results. I appreciate any advice provided. This app is running in Splunk 6.6.3 in a Search Head Cluster.
props.conf
[rfc5424_syslog]
LOOKUP-check = IP_Ranges ip_range AS host OUTPUT range_name
transforms.conf
[IP_Ranges]
filename = ips.csv
match_type = CIDR(ip_range)
fields_list = ip_range, range_name
ips.csv
ip_range,range_name
10.0.0.0/8,"US Generic One"
10.10.10.0/24,"US Generic Two"
When I perform the following search, I see the expected results
sourcetype=rfc5424_syslog | head 20 | lookup IP_Ranges ip_range AS host OUTPUT range_name | table host, range_name
When I perform the following search, I am not seeing range_name fields added automatically
sourcetype=rfc5424_syslog
↧