Archive

CIDR search against multivalue fields

Explorer

I'm using the Splunk for Cisco IPS app which outputs some events with multiple targets with IP addresses:

target=a.a.a.a target=b.b.b.b target=c.c.c.c ... target=n.n.n.n.

If I search with target=a.a.a.0/24, then I get a match, but searching for target=b.b.b.0/24 or any of the later values does not match. Is there a way to properly CIDR search through all the values of a multivalue field?

0 Karma
1 Solution

Explorer

The problem was the target, target_port, and target_locality fields hadn't actually been set as MV fields by default. So by adding the following, it now works properly:

props.conf:

[cisco_ips_syslog]
REPORT-target = target,target_port,target_locality

transforms.conf:

[target]
REGEX = target=\"(.+?)\"
FORMAT = target::$1
MV_ADD = True

[target_port]
REGEX = target_port=\"(.+?)\"
FORMAT = target_port::$1
MV_ADD = True

[target_locality]
REGEX = target_locality=\"(.+?)\"
FORMAT = target_locality::$1
MV_ADD = True

View solution in original post

0 Karma

Explorer

The problem was the target, target_port, and target_locality fields hadn't actually been set as MV fields by default. So by adding the following, it now works properly:

props.conf:

[cisco_ips_syslog]
REPORT-target = target,target_port,target_locality

transforms.conf:

[target]
REGEX = target=\"(.+?)\"
FORMAT = target::$1
MV_ADD = True

[target_port]
REGEX = target_port=\"(.+?)\"
FORMAT = target_port::$1
MV_ADD = True

[target_locality]
REGEX = target_locality=\"(.+?)\"
FORMAT = target_locality::$1
MV_ADD = True

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

I would have expected this to work. Alternately, I might suggest use of where and cidrmatch. Something like

blah blah blah | where cidrmatch(target,"b.b.b.0/24")
0 Karma

Explorer

Unfortunately that yields the same result, matches with cidrmatch(target,"a.a.a.0/24") but nothing else.

0 Karma