Defaults to the Lookup field name in event value. I am trying search events where the destination IP is in a lookup table consisting of a list of CIDR ranges (and three other columns that note the zone, firewall, and context), and I'm having issues getting output to return the subnets that matched the SRC and. Corresponding field name in lookup: The field name as it appears in the lookup file. Matching an IP address from a lookup table of CIDR ranges.Lookup field name in event: Exact field name as it appears in events. I have created a csv lookup file that looks like this computerip Sitename 10.89.64.0/24.Lookup fields (.csv): Field(s) that should be used to key into the lookup table. All will return all matches in the output, as arrays. You cannot use the CIDRMATCH feature of lookups without properly defining the lookup. Most specific will scan all entries, finding the most specific match. First match will return the first matching entry. Match type: For CIDR and Regex Match modes, this attribute refines how to resolve multiple matches. Match mode: Defines the format of the lookup file, and indicates the matching logic that will be performed. assetlookupbycidr represents CIDR blocks of addresses and their attributes. In this case, the default upload path changes from $CRIBL_HOME/data/lookups (single-instance deployments) to $CRIBL_HOME/groups//data/lookups/ (distributed deployments). assetlookupbystr is for individual assets and their specific attributes. When you configure this field via a distributed deployment's Leader Node, Cribl Stream will swap $CRIBL_HOME/groups// for $CRIBL_HOME when validating whether the file exists.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |