krestenkrab
commented
6 years ago With humio 1.1, we now allow multiple subnets for the cidr() subnet argument.
Closed henrikjohansen closed 5 years ago
krestenkrab
commented
6 years ago With humio 1.1, we now allow multiple subnets for the cidr() subnet argument.
henrikjohansen
commented
6 years ago This is definitively an improvement :) My original use-case however was to add additional data to an event based on cidr() matches.
If you could upload a CSV file a lá the one below and use the lookup API you could enrich events based on where or what they are from which is super useful :)
scope, location, comment,
1.1.1.0/24, datacenter1, server-net
2.2.2.0/24, office1, remote-branch-office
3.3.3.0/24, headquarters,headquarters
4.4.4.4/32, asia1, super important machineHmm. Reflecting a bit more over this perhaps it would be most beneficial to expose a ,function=foo() argument to lookup().
This would ensure that you can use a multitude of matching operators instead of "inventing" a query function each time?
I could definitively use regex() for matching different services to do tracing and stuff besides cidr() :)
anagrius
commented
5 years ago @krestenkrab What is the status on this?
mortengrouleff
commented
5 years ago cidr() support a file+column variant that loads the subnets from a file from version 1.5.14.
We need to lookup lot's and lot's of subnets - having the ability to provide them to
cidr()as a file (like inlookup()) would be hugely beneficial for the way we currently write our queries.Microsoft for example provides a downloadable CSV file with all of their subnets - having the ability to exclude those by uploading them as a file would be awesome. Related to #23 :)