Re: KV Store field type cidr

mathiask · ‎08-31-2018

Hello Splunkers

I just noticed that there is a field type "cidr" for the KV Store.
According to the API documentation this should handle any kind of IP ranges nicely in canonical form.
http://docs.splunk.com/Documentation/Splunk/7.1.2/RESTREF/RESTkvstore#CIDR

Until now we used field type string
field.netrange = string

I created a new collection for testing with
field.netrange = cidr
and transferred the content with | inputlookup | outputlookup

But upon inspection | inputlookup

I still observe the previous non-canonical IP ranges like 2001:620:2000::/48

Did I do something wrong?

What is the benefit of using the field type cidr when there are no changes?

stephaniem_splu · ‎03-21-2019

There is no additional benefit. CIDR is implicit: https://docs.splunk.com/Documentation/Splunk/6.3.1/RESTREF/RESTkvstore

mathiask · ‎03-22-2019

I am not sure if I understand this correctly
According to the documentation the field using field.cidr should be converted to a canonical CIDR address
https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTkvstore#CIDR

Could you sort elaborate on what you mean with implicit?

nickhills · ‎03-22-2019

2001:620:2000::/48 is already a canonical address.
(I think its clearer with IPv4)
172.16.14.0/24 is also a canonical address
172.16.14.34 is NOT a canonical address, so this would be converted to its canonical version which would be:
172.16.14.34/32

If my comment helps, please give it a thumbs up!

vsingla1 · ‎03-10-2019

I have the same issue. @mathiask Did you ever get to resolve this issue? If so, Can you please share your solution here.

mathiask · ‎03-11-2019

Sadly, I did not further investigate or resolve this issue yet.

KV Store field type cidr

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

Observability Highlights | January 2023 Newsletter