topic Why is my CIDR lookup search returning no results for any field from the lookup table? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-is-my-CIDR-lookup-search-returning-no-results-for-any-field/m-p/131823#M35960 <P>Hi folks... I realize every conceivable permutation of this question has already been asked and answered - I've sure looked through them all, but I just can't seem to get CIDR match in a lookup to work.</P> <P>Use case: huge LAN address space with upwards of 800 subnets, managed by multiple frontline IT teams. Need a way of pinning down the subnet for a host so delegation of issues becomes more straightforward than a manual IPAM search.</P> <P>I have a lookup csv, <CODE>VLAN_Lookup.csv</CODE>, sitting in <CODE>$SPLUNK_HOME/etc/apps/search/lookups</CODE>. Format is,</P> <PRE><CODE>Subnet,Site_ID,Department_ID,Building_ID,VLAN_Name,Utilisation 123.234.0.0/24,Sxyz,Dxyz,Bxyz,Name_of_VLAN_X,wx.yz% ... /* The "Utilisation" field is important to us because we're forever running out of addresses */ </CODE></PRE> <P>The current stanza in <CODE>transforms.conf</CODE> (I've tried a couple of others, all with the same outcome) is,</P> <PRE><CODE>[VLAN_Lookup] filename = VLAN_Lookup.csv match_type = CIDR(Subnet) max_matches = 1 fields_list = Subnet,Site_ID,Department_ID,Building_ID,VLAN_Name,Utilisation </CODE></PRE> <P>Running <CODE>| inputlookup VLAN_Lookup | table Subnet Site_ID Department_ID Building_ID VLAN_Name Utilisation</CODE> in Splunkweb pulls the information out of the csv file without a problem (indicating the lookup definition is fine), but trying to run a search like</P> <P><CODE>sourcetype=blah client_ip=* | lookup VLAN_Lookup Subnet AS client_ip OUTPUT VLAN_Name AS VLAN_Name<BR /> | table client_ip VLAN_Name</CODE></P> <P>results in the <CODE>VLAN_Name</CODE> - or whatever other field from the lookup table I pick always coming up blank.</P> <P>What am I missing? <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 09 Apr 2015 05:05:14 GMT malat_UoM 2015-04-09T05:05:14Z Why is my CIDR lookup search returning no results for any field from the lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-CIDR-lookup-search-returning-no-results-for-any-field/m-p/131823#M35960 <P>Hi folks... I realize every conceivable permutation of this question has already been asked and answered - I've sure looked through them all, but I just can't seem to get CIDR match in a lookup to work.</P> <P>Use case: huge LAN address space with upwards of 800 subnets, managed by multiple frontline IT teams. Need a way of pinning down the subnet for a host so delegation of issues becomes more straightforward than a manual IPAM search.</P> <P>I have a lookup csv, <CODE>VLAN_Lookup.csv</CODE>, sitting in <CODE>$SPLUNK_HOME/etc/apps/search/lookups</CODE>. Format is,</P> <PRE><CODE>Subnet,Site_ID,Department_ID,Building_ID,VLAN_Name,Utilisation 123.234.0.0/24,Sxyz,Dxyz,Bxyz,Name_of_VLAN_X,wx.yz% ... /* The "Utilisation" field is important to us because we're forever running out of addresses */ </CODE></PRE> <P>The current stanza in <CODE>transforms.conf</CODE> (I've tried a couple of others, all with the same outcome) is,</P> <PRE><CODE>[VLAN_Lookup] filename = VLAN_Lookup.csv match_type = CIDR(Subnet) max_matches = 1 fields_list = Subnet,Site_ID,Department_ID,Building_ID,VLAN_Name,Utilisation </CODE></PRE> <P>Running <CODE>| inputlookup VLAN_Lookup | table Subnet Site_ID Department_ID Building_ID VLAN_Name Utilisation</CODE> in Splunkweb pulls the information out of the csv file without a problem (indicating the lookup definition is fine), but trying to run a search like</P> <P><CODE>sourcetype=blah client_ip=* | lookup VLAN_Lookup Subnet AS client_ip OUTPUT VLAN_Name AS VLAN_Name<BR /> | table client_ip VLAN_Name</CODE></P> <P>results in the <CODE>VLAN_Name</CODE> - or whatever other field from the lookup table I pick always coming up blank.</P> <P>What am I missing? <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Thu, 09 Apr 2015 05:05:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-CIDR-lookup-search-returning-no-results-for-any-field/m-p/131823#M35960 malat_UoM 2015-04-09T05:05:14Z Re: Why is my CIDR lookup search returning no results for any field from the lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-CIDR-lookup-search-returning-no-results-for-any-field/m-p/131824#M35961 <P>OK; false alarm, sort of... turns out "If at first you don't succeed, try, try again" applied to Splunk restarts in this eventuality.</P> <P>(we run a distributed environment, with two search heads, and a common set of config files in a mounted remote directory; both search heads had to be restarted for the changes in transforms.conf to get picked up, rather than just the one I was running searches on...)</P> Mon, 13 Apr 2015 07:01:28 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-CIDR-lookup-search-returning-no-results-for-any-field/m-p/131824#M35961 malat_UoM 2015-04-13T07:01:28Z