topic Re: Lookup Table with CIDR, running but no matches in Splunk Search

Lookup Table with CIDR, running but no matches

yoshileigh66 — Fri, 03 Nov 2023 16:50:28 GMT

Hello, I think this is a simple answer but I'm not able to find a solution.

I created a lookup table that looks like this (but of course has more info):

Cidr, ip_address

24, 99.99.99.99/24
25, 100.100.100/25

I only included the Cidr column as I read that the lookup table needs at least 2 columns, but I do not use it. Let me know if I should!

I am trying to find source ips that match with the ip_address in my lookup table.

index="index1" [|inputlookup lookup | rename ip_address as src_ip]

I have ensured that Advanced Settings -> Match -> CIDR(ip_address)

When the query is ran, no matches are found, but I know that there is traffic from the addresses. What am I overlooking?

Re: Lookup Table with CIDR, running but no matches

PickleRick — Fri, 03 Nov 2023 21:28:37 GMT

Match type has no meaning with inputlookup.

Your subsearch will get expanded to a set of conditions like

(src_ip="1.2.3.4/24) OR (src_ip="4.5.6.7/23") OR ...)

Verify your expanded search in job dashboard if it matches the field naming in your events.

Re: Lookup Table with CIDR, running but no matches

ITWhisperer — Sat, 04 Nov 2023 10:37:25 GMT

index="index1" |lookup lookup ip_address as src_ip | where isnotnull(Cidr)

Re: Lookup Table with CIDR, running but no matches

PickleRick — Sat, 04 Nov 2023 16:38:56 GMT

That's another solution but it's worth noting the difference in the search process of both those SPLs and the possible difference in performance.

Re: Lookup Table with CIDR, running but no matches

yoshileigh66 — Mon, 06 Nov 2023 14:03:33 GMT

Thank you for your response. I double checked and all the fields are correctly spelled.

A coworker put 'AND' in front of the subsearch, and events are returning. She is using a lookup without the match type being set to CIDR(ip_address), so now I'm more puzzled.

EDIT: Oh yes, I forgot that you said that matchtype doesn't have meaning with inputlookup, so I guess that is why it doesn't matter in this case. Although I'm still puzzled as to why the 'AND' is making a difference.

Re: Lookup Table with CIDR, running but no matches

yoshileigh66 — Mon, 06 Nov 2023 14:01:54 GMT

Thank you so much!
Out of curiosity, is the isnotnull(CIDR) referring to the column in the lookup table, or to the matchtype that was set up when creating the lookup definition?

Re: Lookup Table with CIDR, running but no matches

ITWhisperer — Mon, 06 Nov 2023 14:11:05 GMT

The column in the lookup - essentially, if there is no match in the lookup, the output field will be null.