Hi everyone,
I have a data table with two columns: destination_ip and location.
The destination IP column contains values in CIDR format.
The location column contains strings (e.g., country names).
I want to run a search/query where I filter results for location to a specific country (e.g., Italy) from the query directly.
What’s the best way to fetch the string value (location) from the data table based on the IP, so I can filter traffic for a country?
Thanks in advance for your help!
Give something like this a try:
events:
// Pre-filter for events that contain at least one IP address.
principal.ip != "" or target.ip != ""
match:
// Collect IP addresses from the event. The fields here are implicitly from
// the events that match the 'events' filter above.
$ip = array_distinct(principal.ip, target.ip)
// Scan every row in the specified data table.
$table_row = $datatable.scan("YOUR_CIDR_TABLE_NAME")
where:
// The join condition: returns true if the event's IP is within the row's CIDR range.
net.ip_in_range($ip, $table_row.YOUR_CIDR_COLUMN)
return:
// Specify which fields to display in the search results.
// You can return fields from the event (e.g., timestamp) and from the
// matched data table row (e.g., $table_row.YOUR_VALUE_COLUMN).
timestamp,
principal.hostname,
principal.ip,
target.ip,
$table_row.YOUR_CIDR_COLUMN,
$table_row.YOUR_VALUE_COLUMN
It does not work unfortanely , cannot use where and return in my dashboard query
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.