Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Problems with cidrmatch and lookup from csv (even after transforms.conf edited)

theothertomjone
New Member
‎02-19-2018 07:27 AM

I've read other questions on this topic and I am afraid I'm just stuck.

I have a csv named "subnets_cidrmatch" with fields subnet, country (~250 entries in this spreadsheet).

I have another csv named "spreadsheet" with a field clientip (~48k entries in this spreadsheet).

1. I have edited transforms.conf with the configuration below

[subnets_cidrmatch]
filename = subnets_cidrmatch.csv
default_match = NONE
match_type = CIDR(subnet)

2. The following query doesnt work (for some reason)

| inputlookup spreadsheet.csv
| lookup subnets_cidrmatch subnet AS clientip OUTPUT country as clientip_location
| table clientip subnet clientip_location

3. None of the fields match on the country (or the OUTPUT field *clientip_location)*

Any idea what could be going on here?

Tags (1)
0 Karma
Reply

starcher
Influencer
‎02-20-2018 10:15 AM

Make sure the column subnet in your lookup is in CIDR format like 10.0.0.0/8 format.

0 Karma
Reply

theothertomjone
New Member
‎02-20-2018 10:34 AM

It is in the correct CIDR format--the issue is the support for the match_type=CIDR between SE v6.5 and SE v7.x. Somewhere between these two versions the match_type=CIDR is fully supported.

0 Karma
Reply

dbray_sd
Path Finder
‎02-18-2019 12:14 PM

Did you ever get this resolved? I seem to be having the same issue.

0 Karma
Reply

theothertomjone
New Member
‎02-19-2018 07:30 PM

Ok everyone, it seems that this is some sort of versioning issue--I downloaded free Splunk and installed it locally, added both lookup tables (and definitions) and this worked without problem.

So, in production Im running Splunk Enterprise v6.5. Match_type = CIDR doesn't work somewhere between version 6.5 and 7.x.

Note: on version 6.5 the cidrmatch function works inside an eval function, but not as a match type itself. Its weird.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...