7.5 Adding a Number Range Map Definition

To use the range map functionality, a map definition must have only one key column and the key column must be of type NumberRange. If there are any other key columns, or if the key column is of a different type, the mapping service does not consider the map to be a range map.

To create a range map, select a single column to be the key of the map and select NumberRange as the type of the column. The format of the data in a column of type NumberRange must be ā€œm-nā€, where m is the minimum number in the range and n is the maximum number in the range (for example, 10-200). The maximum number in the range is not included in the range (m,n). This means a range of 10-200 only uses numbers equal to 10 to 199. An example set of data has the first column defined as the key column:

1-2,AA
2-4,AA
4-12,BB
10-20,BB
30-31,BB
100-200,AA
110-120,CC

When the source CSV file is loaded into the system, any common or overlapping number ranges are collapsed into a single entry as follows:

Table 7-3 Transformation

FROM

TO

1-2, AA

1-4, AA

2-4, AA

4-20, BB

4-12, BB

30-31, BB

10-20, BB

100-110, AA

30-31, BB

110-120, CC

100-200, AA

120-200, AA

110-120, CC

 

Figure 7-3 Number Range Map Definition

An example event configuration on the above map might look like this:

Figure 7-4 Event Configuration

In the scenario above, CustomerVar97 must contain a numeric value. That value is compared against each NumberRange defined in the RangeMap until a match is found. The corresponding row from the map is returned and used to set CustomerVar89, as follows:

CustomerVar97 = 1; CustomerVar89 will be set to AA
CustomerVar97 = 4; CustomerVar89 will be set to BB
CustomerVar97 = 300; CustomerVar89 will not be set

For Sentinel event fields that are defined as having an IP address or Date datatype, Sentinel internally converts those fields to an integer representation of the values of that field.

Fields that are defined as IP address fields are:

Fields that are defined as Data fields are:

The conversions for IP address are simple octet mappings to decimal integers, which you can calculate using any server online calculator. The following example shows a numerical range equivalent to an IP range of 10.0.0.0 to 10.0.2.255.

167772160-167772415,AAA
167772416-167772671,BBB
167772672-167772927,CCC

Using the same setup as the previous example, if:

If an event contains a target IP of 10.0.1.14 (equivalent to numerical value of 167772430), the output for column CustomerVar89 within the event is BBB.

Dates are represented as an integer number of seconds since midnight January 1, 1970. Data and time ranges can be used in maps in a similar fashion as the IP address sample above.

Sentinel supports the following number ranges:

NOTE:In all cases, the min must be less than or equal to the max (for example, ā€œ-234- -235ā€ is NOT valid).