https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83970#M21400 <P>DOH, let me verify...this is what I get for subnetting with an online calculator rather than doing it by hand...</P> Wed, 03 Jul 2013 16:43:38 GMT ccsfdave 2013-07-03T16:43:38Z https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83967#M21397 <P>I have the following lookup:</P> <P><STRONG>transforms.conf</STRONG></P> <P><CODE>[ipam]<BR /> filename = ipam.csv<BR /> match_type = CIDR(src_ip)</CODE></P> <P><STRONG>props.conf</STRONG></P> <P><CODE>[cisco_asa]<BR /> LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department</CODE></P> <P><STRONG>ipam.csv</STRONG></P> <P><CODE>src_ip,Dept<BR /> 10.8.1.0/10,Soap<BR /> 10.17.101.0/16,Clean<BR /> 10.17.102.0/15,Clean</CODE></P> <P>When I do a search though, much more than what I would expect is being matched (I masked the results, the first is full the second and third are abbreviated for readability) :</P> <P>» 7/3/13 7:42:30.000 AM Jul 3 07:42:30 <STRONG><EM>.</EM></STRONG>.<STRONG><EM>.</EM></STRONG> %ASA-6-305012: Teardown dynamic TCP translation from inside:<STRONG><EM>.</EM></STRONG>.<STRONG><EM>.</EM></STRONG>/<EM>**</EM> to outside:<STRONG><EM>.</EM></STRONG>.<STRONG><EM>.</EM></STRONG>/<EM>**</EM> duration 0:00:30<BR /> host=<STRONG><EM>.</EM></STRONG>.<STRONG><EM>.</EM></STRONG> Options| sourcetype=cisco_asa Options| source=/var/log/syslog/blah.log Options| src_ip=<STRONG>10.35.36.20</STRONG> Options| <STRONG>Department=Soap</STRONG> Options</P> <P>» 7/3/13 7:42:30.000 AM<BR /><BR /> src_ip=<STRONG>10.15.1.12</STRONG> Options| <STRONG>Department=Soap</STRONG> </P> <P>» 7/3/13 7:42:30.000 AM<BR /><BR /> src_ip=<STRONG>10.17.31.174</STRONG> Options| <STRONG>Department=Soap</STRONG> Options| <STRONG>Department=Clean</STRONG> </P> <P>So as you can see the CIDR matching is not really working well. The first and second result are incorrect IP ranges for the Soap department and the third entry matches both departments when it should simply match Clean.</P> Mon, 28 Sep 2020 14:14:45 GMT https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83967#M21397 ccsfdave 2020-09-28T14:14:45Z https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83968#M21398 <P>BTW, the search was very open: sourcetype=cisco_asa Department="*"</P> Wed, 03 Jul 2013 15:31:08 GMT https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83968#M21398 ccsfdave 2013-07-03T15:31:08Z https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83969#M21399 <P>Actually, it is working correctly, but I think you are incorrectly specifying your CIDR ranges. For example, <CODE>10.8.1.0/10</CODE> (which is the same as <CODE>10.0.0.0/10</CODE>) will match anything in the range <CODE>10.0.0.0</CODE> thru <CODE>10.63.255.255</CODE>, which includes your other two ranges as well as your examples. <CODE>10.17.101.0/15</CODE> (which is the same as <CODE>10.16.0.0/15</CODE>) includes everything in <CODE>10.16.*.*</CODE> and <CODE>10.17.*.*</CODE>.</P> <P>My guess (just a guess) is that your ranges should actually all be <CODE>/24</CODE> ranges. Though of course I don't know your network topology, you are unlikely to want overlapping CIDR ranges for different departments.</P> Wed, 03 Jul 2013 16:36:28 GMT https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83969#M21399 gkanapathy 2013-07-03T16:36:28Z https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83970#M21400 <P>DOH, let me verify...this is what I get for subnetting with an online calculator rather than doing it by hand...</P> Wed, 03 Jul 2013 16:43:38 GMT https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83970#M21400 ccsfdave 2013-07-03T16:43:38Z https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83971#M21401 <P>Ugh, right you were gkanapathy!</P> Wed, 03 Jul 2013 16:58:19 GMT https://community.splunk.com/t5/Splunk-Search/match-type-CIDR-doesn-t-seem-to-work/m-p/83971#M21401 ccsfdave 2013-07-03T16:58:19Z