Re: Problems with cidrmatch and lookup from csv (e...

theothertomjone · ‎02-19-2018

I've read other questions on this topic and I am afraid I'm just stuck.

I have a csv named "subnets_cidrmatch" with fields subnet, country (~250 entries in this spreadsheet).

I have another csv named "spreadsheet" with a field clientip (~48k entries in this spreadsheet).

1. I have edited transforms.conf with the configuration below

[subnets_cidrmatch]
filename = subnets_cidrmatch.csv
default_match = NONE
match_type = CIDR(subnet)

2. The following query doesnt work (for some reason)

| inputlookup spreadsheet.csv
| lookup subnets_cidrmatch subnet AS clientip OUTPUT country as clientip_location
| table clientip subnet clientip_location

3. None of the fields match on the country (or the OUTPUT field *clientip_location)*

Any idea what could be going on here?

starcher · ‎02-20-2018

Make sure the column subnet in your lookup is in CIDR format like 10.0.0.0/8 format.

theothertomjone · ‎02-20-2018

It is in the correct CIDR format--the issue is the support for the match_type=CIDR between SE v6.5 and SE v7.x. Somewhere between these two versions the match_type=CIDR is fully supported.

dbray_sd · ‎02-18-2019

Did you ever get this resolved? I seem to be having the same issue.

theothertomjone · ‎02-19-2018

Ok everyone, it seems that this is some sort of versioning issue--I downloaded free Splunk and installed it locally, added both lookup tables (and definitions) and this worked without problem.

So, in production Im running Splunk Enterprise v6.5. Match_type = CIDR doesn't work somewhere between version 6.5 and 7.x.

Note: on version 6.5 the cidrmatch function works inside an eval function, but not as a match type itself. Its weird.

Problems with cidrmatch and lookup from csv (even after transforms.conf edited)

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases