Hello comunity,
Sorry if this question has been asked but i do not find the solution....
I try to create a feed with CIDR type index column and the "device ip" on meta callback. But she does not work.
My custom meta work with another feed. But Only meta "ip.src" or "ip.dst" is considerate for the indexation with a feed on CIDR. I read in forum or RSA documentation that custom xml with "metacallback" attribut allows to select another meta for indexing, but I can't ...
May be is my xml file or a bad practice ? I try 2 xml with <MetaCallback> but nothing. What do you think, Can you help me please ?
- My meta is in "index-concentrator-cutom"
- My XML and my CSV File :
or i try like that :
- My CSV :
- I have restart the nwconcentrator service but nothing :
You can change the value of ip.dst and ip.src to device.ip.
Go to the Decoder explorer mode than change the value as shown below.
Hello,
thanks for your help. I don't have this attribut in "parsers\config" but it is in "parsers\feeds\feedsname".
Effectively, I can't change this value but I see "device.ip" in "feed.callbacks" attribut. So I imagine my xml is correctly writte ?
But curiously, I see the "feed.entries" and "feed.values" equal 0 ?? my CSV is not read ???
When i try to create the same feeds with the same csv and xml file but without metacallback parameter , she's working with "ip.src" or" ip.dst" and i see the number of "feed.entries" ??
I can't change the "feed.callbacks" attribut for cheat ???
I don't have more idea 
My understanding is that cidr notation would only work against ip.src and ip.dst. Therefore, it would not work against the device.ip meta key.
Device.ip is generally specific to the event source for logs, but if you were trying to categorize them based on the logging source (device.ip) you would need to expand out the cidr block into individual ip's. Not ideal, but it can be worked around with some python.
Using your csv as a starting point, we convert the cidr blocks into individual IP's along with the meta for that enrichment column.
python litecidr.py [input_file] [output_file]
The script is as follows:
#!/usr/bin/python
import sys
from netaddr import IPNetwork
# Read in file
file=open(sys.argv[1])
outfile=open(sys.argv[2],'w')
for line in file:
tmpline=line.split(",")
for ip in IPNetwork(tmpline[0]):
#print('%s' % ip + "," + tmpline[1])
tmpout='%s' % ip + "," + tmpline[1]
outfile.write(tmpout)
outfile.close()
I hope you find this useful.
Chris
Hello Christopher,
Thank you very much for your help and your script 
I thought of create my feeds on simply ip. It's a good solution for a little feeds but I have much more IPs (internal IPs) I'm afraid it takes a lot of ressources, no ?!? May be create filters for each rules but the request will be great for informations My CIDRs :
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
50.240.245.212/30
51.62.188.0/30
51.62.188.4/30
51.62.188.8/29
51.62.188.16/28
51.62.188.32/27
51.62.188.64/27
51.62.188.96/27
51.62.188.128/25
51.62.189.0/25
51.62.189.128/28
51.62.189.144/28
51.62.189.160/27
51.62.189.192/27
51.62.189.224/27
51.62.204.0/25
51.62.204.128/26
51.62.204.192/26
62.23.167.224/27
62.161.109.188/30
81.93.10.128/28
83.145.88.192/28
85.233.204.192/28
90.80.10.160/28
90.80.175.240/29
92.103.163.240/30
92.103.163.244/30
92.103.163.248/29
92.103.212.224/27
92.168.97.16/28
93.103.163.240/30
93.62.124.0/24
94.103.103.24/29
185.8.253.8/29
195.68.112.0/28
195.68.112.16/28
195.68.112.32/28
195.68.112.48/28
195.68.112.64/26
195.68.112.128/25
195.101.77.0/29
195.110.92.152/29
212.234.30.32/27
217.74.110.24/29
217.109.196.96/29
217.111.186.136/29
217.117.146.0/28
217.117.151.160/27
Hi Ravichandrein,
Thank for your help me too, I'm in V10.5. Ok I will test this solution. On Non-IP Data your CSV still contains CIDR column like my file ?
Regards
