iplookup
Queries the asset IP address list, or looks up manager information by matching input record IP addresses against the asset IP list.
Command properties
| Property | Value |
|---|---|
| Command type | Driver query or transforming |
| Required permission | Administrator |
| License usage | Not counted |
| Parallel execution | Supported |
| Distributed execution | Not supported |
Syntax
To query the full list of asset IP addresses:
To look up manager information by matching input record IP addresses against the asset IP list:
Options
key=FIELD- Name of the field containing the IP address to match against the asset IP list. The field value must be of string or IP address type. If this option is omitted, the command operates as a driver query and returns the full asset IP list.
Output fields
When running as a driver query (without the key option):
| Field | Type | Description |
|---|---|---|
| priority | integer | Priority |
| ip | string | IP address |
| category_name | string | Device category name |
| emp_key | string | Manager employee ID |
| emp_name | string | Manager name |
| dept_name | string | Manager department name |
| company_name | string | Company name |
| hostname | string | Hostname |
| workgroup | string | Workgroup |
| description | string | Notes |
| os_name | string | Operating system name |
| os_ver | string | Operating system version |
| created | timestamp | Creation date and time |
| updated | timestamp | Modification date and time |
When running as a transforming query (with the key option):
| Field | Type | Description |
|---|---|---|
| emp_key | string | Manager employee ID |
| emp_name | string | Manager name |
All fields from the input record are included in the output. If a match is found in the asset IP list, the emp_key and emp_name fields are added. If the IP address is not registered in the asset IP list or no manager is assigned, both fields are null.
Error codes
Parsing errors
| Error code | Message | Description |
|---|---|---|
| 399999 | 유효하지 않은 소나 세션 | No Sonar session permission |
Runtime errors
N/A
Description
The iplookup command operates in two modes depending on whether the key option is specified.
When the key option is omitted, it operates as a driver query and returns the full list of asset IP addresses registered for the current company. Key properties of each IP address object are returned as output fields.
When the key option is specified, it operates as a transforming query. For each input record, it reads the IP address value from the field specified by key and matches it against the asset IP list. If a match is found, the manager's employee ID (emp_key) and name (emp_name) from the matching IP address are added as output fields. The key field value must be of string or IP address type. If no match is found, no output fields are added.
Examples
-
Query the full asset IP list
iplookupQueries all asset IP address information registered for the current company.
-
Look up manager information by matching input record IP addresses
json "[{'src_ip': '192.0.2.1'}, {'src_ip': '192.0.2.2'}, {'src_ip': '198.51.100.5'}]" | iplookup key=src_ipMatches the IP addresses in the
src_ipfield against the asset IP list and adds the manager's employee ID and name to matching records in theemp_keyandemp_namefields. -
Add manager information to table query results
table duration=1h firewall_logs | iplookup key=src_ip | fields _time, src_ip, dst_ip, dst_port, emp_key, emp_nameAdds manager information by matching the source IP address in firewall logs against the asset IP list, then selects only the key fields.