topic Re: CIDR search on host field in Getting Data In

CIDR search on host field

afaraino — Fri, 13 Jan 2012 14:49:33 GMT

Hello Everyone,

I'm facing a strange behavior here :

searching host=10.1.2.* returns 511,000+ results
searching host=10.1.2.0/24 returns 807 results

Am I missing something?

I'm using Splunk 4.2.4.

Regards,

Alexandre Faraino

Re: CIDR search on host field

SarahWKarvenz — Fri, 13 Jan 2012 21:39:49 GMT

Are the ones returning for the subset of records from a specific data input or set of inputs? I am finding that the CIDR search host=127.0.0.1/24 will work if Splunk is setting the host as the IP which it does for data inputs of type TCP or UDP. If I use a file or directory input type and then set the host field value to an IP address, those data inputs aren't picked up in the CIDR search host=127.0.0.1/24 but will be found in the search host=127.0.0.*

One way around it is to use the cidrmatch function as it will pick up records from both types of data inputs:
* | where cidrmatch("127.0.0.1/24", host), but so will the 127.0.0.*

Re: CIDR search on host field

afaraino — Mon, 16 Jan 2012 08:51:34 GMT

Actually, it's 100% UDP. So the host field should be an IP. The cidrmatch() function is working, but it's not user-friendly.

I tried something else :

host=10.1.2.* host=10.1.2.0/24
--> returns nothing
host=10.1.2.* | search host=10.1.2.0/24
--> returns 48k+ matches

Bug spotted ? I'll open a case.

Re: CIDR search on host field

tmeader — Mon, 30 Nov 2015 19:23:47 GMT

Is there any update on whether or not this is going to be fixed? I'm running into the same issue as the original author right now.