topic Re: How do I do a CIDR match with an inputlookup? in Splunk Search

How do I do a CIDR match with an inputlookup?

adepasquale — Wed, 06 Feb 2019 18:57:36 GMT

Hi All,

I have a lookup that currently works. I've set match_type to CIDR(netRange) in my transforms file and everything works when I pass it an IP address to find in the range.

However, I'm looking to use this lookup table without a search. So I went with the creating command inputlookup, but for the life of me, I cannot get a CIDR match to work. I want to pass it an IP, and have it find the matching CIDR notation in netRange.

Is there no way to do this with the inputlookup command — why is it not honoring my transform?

This works:

index="main" | eval cip="1.1.1.1" | lookup IP2ASN netRange AS cip

This does not work

|inputlookup IP2ASN where netRange=1.1.1.1

Re: How do I do a CIDR match with an inputlookup?

Vijeta — Wed, 06 Feb 2019 19:26:56 GMT

@adepasquale Try this-

|inputlookup IP2ASN  | where netRange="1.1.1.1"

Re: How do I do a CIDR match with an inputlookup?

adepasquale — Wed, 06 Feb 2019 19:32:27 GMT

This doesn't work either. netRange has values like 1.0.0.0/24, 1.0.1.0/24, 1.1.1.0/24, etc...

Re: How do I do a CIDR match with an inputlookup?

somesoni2 — Wed, 06 Feb 2019 19:33:59 GMT

Try this

| makeresults | eval cip="1.1.1.1" | lookup IP2ASN netRange AS cip

Re: How do I do a CIDR match with an inputlookup?

adepasquale — Wed, 06 Feb 2019 19:37:42 GMT

Gold! thank you, and to be clear... I'm not actually issuing a search with "makeresults"?

Re: How do I do a CIDR match with an inputlookup?

somesoni2 — Wed, 06 Feb 2019 19:55:37 GMT

You're running a search command that generates a dummy row (not searching actual indexes). Technically it's still a search.

Re: How do I do a CIDR match with an inputlookup?

adepasquale — Wed, 06 Feb 2019 20:09:32 GMT

It'll do, thanks again.