CIDR search on host field

afaraino · ‎01-13-2012

Hello Everyone,

I'm facing a strange behavior here :

searching host=10.1.2.* returns 511,000+ results
searching host=10.1.2.0/24 returns 807 results

Am I missing something?

I'm using Splunk 4.2.4.

Regards,

Alexandre Faraino

tmeader · ‎11-30-2015

Is there any update on whether or not this is going to be fixed? I'm running into the same issue as the original author right now.

SarahWKarvenz · ‎01-13-2012

Are the ones returning for the subset of records from a specific data input or set of inputs? I am finding that the CIDR search host=127.0.0.1/24 will work if Splunk is setting the host as the IP which it does for data inputs of type TCP or UDP. If I use a file or directory input type and then set the host field value to an IP address, those data inputs aren't picked up in the CIDR search host=127.0.0.1/24 but will be found in the search host=127.0.0.*

One way around it is to use the cidrmatch function as it will pick up records from both types of data inputs:
* | where cidrmatch("127.0.0.1/24", host), but so will the 127.0.0.*

afaraino · ‎01-16-2012

Actually, it's 100% UDP. So the host field should be an IP. The cidrmatch() function is working, but it's not user-friendly.

I tried something else :

host=10.1.2.* host=10.1.2.0/24
--> returns nothing
host=10.1.2.* | search host=10.1.2.0/24
--> returns 48k+ matches

Bug spotted ? I'll open a case.

CIDR search on host field

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!