Solved: CIDR match

jamesdon · ‎05-02-2011

Hello,

I am trying to do a CIDR match with the following search:

index=dhcp sourcetype=infoblox message_type="DHCPACK" | where cidrmatch("10.0.0.0/8", ip)

I see results if I take out the where statement, and all of the ips are in that subnet. Any idea why this wouldn't work as is?

Thank you,

Jim

David · ‎05-02-2011

I'm not sure why it's not working for you. I just verified by doing the exact same search on my logs, and it worked without issue. Have you verified that the IP field is extracted (e.g., by doing YourSearch | stats count by ip)?

As an aside, Splunk handles cidr in normal searches, so you should be able to get the results you want by doing:

index=dhcp sourcetype=infoblox message_type="DHCPACK" ip=10.0.0.0/8

View solution in original post

David · ‎05-02-2011

I'm not sure why it's not working for you. I just verified by doing the exact same search on my logs, and it worked without issue. Have you verified that the IP field is extracted (e.g., by doing YourSearch | stats count by ip)?

As an aside, Splunk handles cidr in normal searches, so you should be able to get the results you want by doing:

index=dhcp sourcetype=infoblox message_type="DHCPACK" ip=10.0.0.0/8

View solution in original post

tred23 · ‎05-17-2017

This worked great. I'm not using the infoblox addon but I just changed the field to match what I have and it works wonderful.
Thank you

jamesdon · ‎05-02-2011

Excellent, using ip=10.0.0.0/8 works perfectly, as did the count. Still not sure why it didn't work the long way, but shorter is better.

CIDR match

Free LIVE events worldwide 2/8-2/12Connect, learn, and collect rad prizes and swag!Sign up now >

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!

Sign up now >