Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problems with cidrmatch and lookup from csv (even after transforms.conf edited)

theothertomjone
New Member
‎02-19-2018 07:27 AM

I've read other questions on this topic and I am afraid I'm just stuck.

I have a csv named "subnets_cidrmatch" with fields subnet, country (~250 entries in this spreadsheet).

I have another csv named "spreadsheet" with a field clientip (~48k entries in this spreadsheet).

1. I have edited transforms.conf with the configuration below

[subnets_cidrmatch]
filename = subnets_cidrmatch.csv
default_match = NONE
match_type = CIDR(subnet)

2. The following query doesnt work (for some reason)

| inputlookup spreadsheet.csv
| lookup subnets_cidrmatch subnet AS clientip OUTPUT country as clientip_location
| table clientip subnet clientip_location

3. None of the fields match on the country (or the OUTPUT field *clientip_location)*

Any idea what could be going on here?

Tags (1)
0 Karma
Reply

starcher
Influencer
‎02-20-2018 10:15 AM

Make sure the column subnet in your lookup is in CIDR format like 10.0.0.0/8 format.

0 Karma
Reply

theothertomjone
New Member
‎02-20-2018 10:34 AM

It is in the correct CIDR format--the issue is the support for the match_type=CIDR between SE v6.5 and SE v7.x. Somewhere between these two versions the match_type=CIDR is fully supported.

0 Karma
Reply

dbray_sd
Path Finder
‎02-18-2019 12:14 PM

Did you ever get this resolved? I seem to be having the same issue.

0 Karma
Reply

theothertomjone
New Member
‎02-19-2018 07:30 PM

Ok everyone, it seems that this is some sort of versioning issue--I downloaded free Splunk and installed it locally, added both lookup tables (and definitions) and this worked without problem.

So, in production Im running Splunk Enterprise v6.5. Match_type = CIDR doesn't work somewhere between version 6.5 and 7.x.

Note: on version 6.5 the cidrmatch function works inside an eval function, but not as a match type itself. Its weird.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...