Databases Reference
In-Depth Information
Stepping through what we added, we have:
•
match_type = WILDCARD(url)
: This says that the value of the field url in the
lookup file may contain wildcards. In our example, the URL might look like
/
contact/*
in our CSV file.
•
max_matches = 1
: By default, up to 10 entries that match in the lookup file
will be added to an event, with the values in each field being added to a
multivalue field. In this case, we only want the first match to be applied.
CIDR wildcard lookups
CIDR wildcards look very similar to text-based wildcards but use Classless
Inter-Domain Routing rules to match lookup rows against an IP address.
Let's try an example.
Say we have this lookup file:
ip_range,network,datacenter
10.1.0.0/16,qa,east
10.2.0.0/16,prod,east
10.128.0.0/16,qa,west
10.129.0.0/16,prod,west
It has this corresponding definition in
transforms.conf
:
[ip_address_lookup]
filename = ip_address_lookup.csv
match_type = CIDR(ip_range)
max_matches = 1
And, there are a few events such as these:
src_ip=10.2.1.3 user=mary
src_ip=10.128.88.33 user=bob
src_ip=10.1.35.248 user=bob
We could use our lookup to enrich these events like so:
src_ip="*"
| lookup ip_address_lookup ip_range as src_ip
| table src_ip user datacenter network
Search WWH ::
Custom Search