Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Problems with cidrmatch and lookup from csv (even after transforms.conf edited)

theothertomjone
New Member
‎02-19-2018 07:27 AM

I've read other questions on this topic and I am afraid I'm just stuck.

I have a csv named "subnets_cidrmatch" with fields subnet, country (~250 entries in this spreadsheet).

I have another csv named "spreadsheet" with a field clientip (~48k entries in this spreadsheet).

1. I have edited transforms.conf with the configuration below

[subnets_cidrmatch]
filename = subnets_cidrmatch.csv
default_match = NONE
match_type = CIDR(subnet)

2. The following query doesnt work (for some reason)

| inputlookup spreadsheet.csv
| lookup subnets_cidrmatch subnet AS clientip OUTPUT country as clientip_location
| table clientip subnet clientip_location

3. None of the fields match on the country (or the OUTPUT field *clientip_location)*

Any idea what could be going on here?

Tags (1)
0 Karma
Reply

starcher
Influencer
‎02-20-2018 10:15 AM

Make sure the column subnet in your lookup is in CIDR format like 10.0.0.0/8 format.

0 Karma
Reply

theothertomjone
New Member
‎02-20-2018 10:34 AM

It is in the correct CIDR format--the issue is the support for the match_type=CIDR between SE v6.5 and SE v7.x. Somewhere between these two versions the match_type=CIDR is fully supported.

0 Karma
Reply

dbray_sd
Path Finder
‎02-18-2019 12:14 PM

Did you ever get this resolved? I seem to be having the same issue.

0 Karma
Reply

theothertomjone
New Member
‎02-19-2018 07:30 PM

Ok everyone, it seems that this is some sort of versioning issue--I downloaded free Splunk and installed it locally, added both lookup tables (and definitions) and this worked without problem.

So, in production Im running Splunk Enterprise v6.5. Match_type = CIDR doesn't work somewhere between version 6.5 and 7.x.

Note: on version 6.5 the cidrmatch function works inside an eval function, but not as a match type itself. Its weird.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...