Archive

CIDR match

Path Finder

Hello,

I am trying to do a CIDR match with the following search:

index=dhcp sourcetype=infoblox message_type="DHCPACK" | where cidrmatch("10.0.0.0/8", ip)

I see results if I take out the where statement, and all of the ips are in that subnet. Any idea why this wouldn't work as is?

Thank you,

Jim

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

I'm not sure why it's not working for you. I just verified by doing the exact same search on my logs, and it worked without issue. Have you verified that the IP field is extracted (e.g., by doing YourSearch | stats count by ip)?

As an aside, Splunk handles cidr in normal searches, so you should be able to get the results you want by doing:

index=dhcp sourcetype=infoblox message_type="DHCPACK" ip=10.0.0.0/8

View solution in original post

Splunk Employee
Splunk Employee

I'm not sure why it's not working for you. I just verified by doing the exact same search on my logs, and it worked without issue. Have you verified that the IP field is extracted (e.g., by doing YourSearch | stats count by ip)?

As an aside, Splunk handles cidr in normal searches, so you should be able to get the results you want by doing:

index=dhcp sourcetype=infoblox message_type="DHCPACK" ip=10.0.0.0/8

View solution in original post

Path Finder

This worked great. I'm not using the infoblox addon but I just changed the field to match what I have and it works wonderful.
Thank you

0 Karma

Path Finder

Excellent, using ip=10.0.0.0/8 works perfectly, as did the count. Still not sure why it didn't work the long way, but shorter is better.

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!