Hello Splunkers
I just noticed that there is a field type "cidr" for the KV Store.
According to the API documentation this should handle any kind of IP ranges nicely in canonical form.
http://docs.splunk.com/Documentation/Splunk/7.1.2/RESTREF/RESTkvstore#CIDR
Until now we used field type string
field.netrange = string
I created a new collection for testing with
field.netrange = cidr
and transferred the content with | inputlookup | outputlookup
But upon inspection | inputlookup
I still observe the previous non-canonical IP ranges like 2001:620:2000::/48
Did I do something wrong?
What is the benefit of using the field type cidr when there are no changes?
There is no additional benefit. CIDR is implicit: https://docs.splunk.com/Documentation/Splunk/6.3.1/RESTREF/RESTkvstore
I am not sure if I understand this correctly
According to the documentation the field using field.cidr should be converted to a canonical CIDR address
https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTkvstore#CIDR
Could you sort elaborate on what you mean with implicit?
2001:620:2000::/48 is already a canonical address.
(I think its clearer with IPv4)
172.16.14.0/24 is also a canonical address
172.16.14.34 is NOT a canonical address, so this would be converted to its canonical version which would be:
172.16.14.34/32
I have the same issue. @mathiask Did you ever get to resolve this issue? If so, Can you please share your solution here.
Sadly, I did not further investigate or resolve this issue yet.