Split Field into Categories - ie Internal and External IP Addresses

I’ve created an extractor for in input that gets the source IP from httpd log entries. So now I have a field called source_ip_address.

Is there a way I can add an extra field based on the IP address to see if it’s a private IP - our internal range - or else classify it as external? The field would only have two values - Internal or External.

Many thanks.

You could write a pipeline rule for that and use a custom lookup table for your private IP range (or use the in_private_net() function from the Threat Intelligence plugin).

I had a look at lookup tables, but they seemed to be a bit OTT for what I’m trying to do.

I think I’ve go something working with regex and extractors -

Extractor 1 - Internal IP


Replace with Internal, store in field ip_origin

Extractor 2 - External IP


Replace with External, store in field ip_origin

This seems to be working.

Thanks for getting back to me though.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.