Fellow Splunkers
I am building a query where I want to report on location based on source IP address. For example within our internal network the subnet 10.50.6.0/24 corresponds to Sydney, whereas 10.50.7.0/24 corresponds to Melbourne. Thus far I have been able to prove my approach using the cidrmatch function as follows:
eval location=case(cidrmatch("10.50.6.0/24",src_ip),"Sydney", cidrmatch("10.50.7.0/24",src_ip),"Melbourne")
Using a case statement doesn't scale when I have hundreds subnets spread across Australia and New Zealand. I was thinking of having a lookup table of the following format:
Subnet,Location
10.50.6.0/24,Sydney
10.50.7.0/24,Melbourne
My problem is that I have not been able to find a way to perform the appropriate lookup.
I have the following questions:
- Can any one suggest a way to execute CIDR-based query against a lookup table?
- Is there an alternative/better solution to the above that will allow me to match an internal source IP to location of my choosing?
Many thanks