topic Re: cidrmatch function not working in Splunk Search

cidrmatch function not working

Ronvgraham — Thu, 11 Jun 2015 22:56:21 GMT

I have imported two Cisco firewall configurations and I am trying to extract IP addresses for our local machines. Therefore I only want to match on subnets that are within our control. I have put together the following command to match on one of our private ip ranges but it appears to always be defaulting to other:

index=fw 
| rex max_match=5 "(?P<IP_add>\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| eval network=if(cidrmatch("10.0.0.0/8", IP_add), "Network", "other")
| stats count by IP_add,network

I have also tried to use the | where NOT cidrmatch("10.0.0.0/8",IP_add) notation but that does not seem to select the proper subnets either. Can someone help me understand why the cidrmatch function does not appear to be working for my searches.

Do I have to set up the transforms file to use the cidrmatch function and if so can someone help me with the proper code to get this done based on the above?

Re: cidrmatch function not working

MuS — Thu, 11 Jun 2015 23:08:54 GMT

Hi Ronvgraham,

this works perfectly:

| stats count | eval IP_add="11.10.10.10" 
| eval network=if(cidrmatch("10.0.0.0/8", IP_add), "Network", "other")
| stats count by IP_add,network

What does your regex match? Is the field value returned numeric or alphanumeric?

cheers, MuS

Re: cidrmatch function not working

Ronvgraham — Fri, 12 Jun 2015 14:50:47 GMT

I tried your example and it works properly on my system as well. When I run my original example the regex matches "other" for all IP addresses even though some of them are in the 10.x.x.x subnet. The fields that were generated by my regex are alphanumeric.

Re: cidrmatch function not working

Ronvgraham — Fri, 12 Jun 2015 15:19:17 GMT

To add some more information. With my regex there may be more than one IP address on a line so it may add more than one IP address to the IP_add field. This may be related to the problem.