https://community.splunk.com/t5/Splunk-Search/Lookup-table-with-several-IP-ranges-per-row/m-p/532973#M150557 <P>To use a CIDR match you need each row in the lookup to have a single row per CIDR block.</P><P>So if your lookup has comma separated CIDR blocks you need to split these into rows.</P><P>You can either do this by manually splitting the data and adding rows, or you could use |inputlookup,&nbsp; split the field, then mvexpand and re-write the (or create a new)&nbsp; lookup.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval cidr="192.168.1.0/24,192.168.30.0/24", location="London" | table cidr location | eval cidr=split(cidr,",")|mvexpand cidr</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>replace the first 3 lines with |inputlookup yourfile.csv<BR />add at the end |outputlookup yourNewfile.csv to write a new file</P><LI-CODE lang="markup">| inputlookup yourfile.csv | eval cidr=split(cidr,",")|mvexpand cidr | outputlookup yourNewfile.csv</LI-CODE> Mon, 14 Dec 2020 11:15:49 GMT nickhills 2020-12-14T11:15:49Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-with-several-IP-ranges-per-row/m-p/532972#M150556 <P>Hi, I have a lookup table with IP ranges and locations. The problem is in the IP range column there can be several IP ranges separated by comma. How can match the client IP address with the right location?</P> Mon, 14 Dec 2020 10:47:39 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-with-several-IP-ranges-per-row/m-p/532972#M150556 pgomezji 2020-12-14T10:47:39Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-with-several-IP-ranges-per-row/m-p/532973#M150557 <P>To use a CIDR match you need each row in the lookup to have a single row per CIDR block.</P><P>So if your lookup has comma separated CIDR blocks you need to split these into rows.</P><P>You can either do this by manually splitting the data and adding rows, or you could use |inputlookup,&nbsp; split the field, then mvexpand and re-write the (or create a new)&nbsp; lookup.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| makeresults | eval cidr="192.168.1.0/24,192.168.30.0/24", location="London" | table cidr location | eval cidr=split(cidr,",")|mvexpand cidr</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>replace the first 3 lines with |inputlookup yourfile.csv<BR />add at the end |outputlookup yourNewfile.csv to write a new file</P><LI-CODE lang="markup">| inputlookup yourfile.csv | eval cidr=split(cidr,",")|mvexpand cidr | outputlookup yourNewfile.csv</LI-CODE> Mon, 14 Dec 2020 11:15:49 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-with-several-IP-ranges-per-row/m-p/532973#M150557 nickhills 2020-12-14T11:15:49Z https://community.splunk.com/t5/Splunk-Search/Lookup-table-with-several-IP-ranges-per-row/m-p/533572#M150780 <P>Thanks, I was afraid of that answer.</P> Fri, 18 Dec 2020 14:12:12 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-table-with-several-IP-ranges-per-row/m-p/533572#M150780 pgomezji 2020-12-18T14:12:12Z