I have the following lookup:
transforms.conf
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
props.conf
[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
ipam.csv
src_ip,Dept
10.8.1.0/10,Soap
10.17.101.0/16,Clean
10.17.102.0/15,Clean
When I do a search though, much more than what I would expect is being matched (I masked the results, the first is full the second and third are abbreviated for readability) :
» 7/3/13 7:42:30.000 AM Jul 3 07:42:30 ... %ASA-6-305012: Teardown dynamic TCP translation from inside:.../** to outside:.../** duration 0:00:30 host=... Options| sourcetype=cisco_asa Options| source=/var/log/syslog/blah.log Options| src_ip=10.35.36.20 Options| Department=Soap Options
» 7/3/13 7:42:30.000 AM
src_ip=10.15.1.12 Options| Department=Soap
» 7/3/13 7:42:30.000 AM
src_ip=10.17.31.174 Options| Department=Soap Options| Department=Clean
So as you can see the CIDR matching is not really working well. The first and second result are incorrect IP ranges for the Soap department and the third entry matches both departments when it should simply match Clean.