topic Re: CIDR match not working on Splunk 8.X in Splunk Search

CIDR match not working on Splunk 8.X

duartet — Wed, 14 Apr 2021 13:20:27 GMT

Hi,

We have been migrating objects from Splunk 7.3.9 to Splunk 8.X and have found some strange issue, hope someone has a clue.

So basically we have a lookup file with a definition using cidr match.

The csv contains, among other fields, an ip, cidr and subnet columns.

Ex:

ip	cidr	subnet
10.1.1.2	10.1.1.2/32	10.1.1.0/24

This is on "Lookup Definition" match type:

CIDR(cidr)

However if I try to do this simple query:

| makeresults
| eval ip="10.1.1.2"
| table ip
| lookup <lookup_name> cidr as ip OUTPUT subnet, it doesn't work.

The exact same thing is working properly in splunk 7.3.9.

Any clue?

Kind regards,

Tiago

CIDR match not working on Splunk 8.X

maciep — Sat, 17 Apr 2021 13:09:20 GMT

I just tried with 8.1.3 and wasn't able to reproduce. Also didn't see anything in the release notes about that. Can you reproduce with a new lookup as a quick test?

can you lookup by ip instead of cidr, just to make sure the lookup works in general? could there be anything annoying like whitespace in the cidr field? may be worth diving into props/transforms to ensure nothing got moved/modified/overwritten during the upgrade?

Re: CIDR match not working on Splunk 8.X

duartet — Mon, 19 Apr 2021 08:17:41 GMT

Hi,

So basically I have tested this in 3 different Splunk SHs. One with 7.3.9 where all is working fine, another with 8.0.4.1 with same configurations (csv and lookup definition) , and another with 8.0.8, that I have upgraded to 8.1.3, also with same configuration.

I have tried before matching directly with IP and it works, but not with cidr field. There's no extra whitespaces, the same lookup works properly on 7.3.9 matching cidr field.

I have configured the lookup fresh via gui on both Splunk 8.X SHs and it didn't work anyway.

Tried in search time use the cidrmatch function and it works.

So basically the only thing not working is CIDR in lookup definition.

Hope this clarifies.

Thanks

Re: CIDR match not working on Splunk 8.X

marand — Tue, 19 Oct 2021 13:43:24 GMT

I had the same problem with the maxmind build int asn_lookup_by_cidr.

Turns out the lookup file is too large. I copied the lookup file with a subset of data and created a new lookup definition unsine match_type=CIDR

| inputlookup asn_lookup_by_cidr | head 100000 | rename ip AS sub | outputlookup asn_lookup_by_cidr_fix.csv

When I reached the 400K mark the lookup stopped working.
Raising the max_memtable_bytes value in limits.conf should fix it.