Dashboards & Visualizations

How to use eval command to perform a CIDR matching inputlookup?


I am trying to use a text box for an input, so I can input an IP address, and then perform a CIDR lookup with a lookup table that I currently have.

I’ve tried to use an eval command for CIDR matching, however it seems that the eval version of CIDR matching requires that the input be a single IP, and that I type in the prefix manually, which I have far too many of in the lookup table.

What I mean is this.

If I have the address:
I know that this is in this subnet range:


I need to be able to punch in the into a text field, and then have it lookup the range, and return the ‘description’ field in a table within a dashboard.

Is there a way to use the eval command for this? I am attaching the XML I am using below:

  <label>test input field</label>
  <fieldset submitButton="false">
    <input type="text" token="code" searchWhenChanged="true">
      <label>Input vendor code</label>
        <searchString>| inputlookup vendor_lookup.csv | search code=$code$ | table description</searchString>

0 Karma


You can try the following search (works with KV Store lookup where match_type=CIDR(ip) is specified in transforms.conf):

| makeresults
| eval query_ip=""
| lookup lookup_table_name ip AS query_ip OUTPUT ip description
| fields - _time
| transpose

0 Karma

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...