Is there any update on whether or not this is going to be fixed? I'm running into the same issue as the original author right now.
Are the ones returning for the subset of records from a specific data input or set of inputs? I am finding that the CIDR search host=127.0.0.1/24 will work if Splunk is setting the host as the IP which it does for data inputs of type TCP or UDP. If I use a file or directory input type and then set the host field value to an IP address, those data inputs aren't picked up in the CIDR search host=127.0.0.1/24 but will be found in the search host=127.0.0.*
One way around it is to use the cidrmatch function as it will pick up records from both types of data inputs:
* | where cidrmatch("127.0.0.1/24", host), but so will the 127.0.0.*
Actually, it's 100% UDP. So the host field should be an IP. The cidrmatch() function is working, but it's not user-friendly.
I tried something else :
host=10.1.2.* host=10.1.2.0/24
--> returns nothing
host=10.1.2.* | search host=10.1.2.0/24
--> returns 48k+ matches
Bug spotted ? I'll open a case.