03-16-2016 08:43 AM
Currently a number of reports/dashboards use the actual IP of the clients. We are in a bit of a unique position in that we are the recursive server for a number of agencies/divisions who run their own local DNS servers which forward to us so we never see the actual client addres, only the local DNS server. I would like to modify copies of the reports to basically give me results based on the CIDR block that the client belongs to, and roll all clients into that range as a single entry/grouping.
Is this something any of you have already done? I hate to reinvent the wheel, especially when I'm learning a new way of doing it.
03-18-2016 10:22 AM
03-18-2016 11:18 AM
I actually found that exact one last night. I've been poking at using it some today and can see that it's working in the queries, but not getting any display values in the table. It's only a matter of understanding how to tell splunk to spit it out now.
If all else fails, I'll dig in my drawer for a bigger hammer.