Knowledge Management

KV Store field type cidr

mathiask
Communicator

Hello Splunkers

I just noticed that there is a field type "cidr" for the KV Store.
According to the API documentation this should handle any kind of IP ranges nicely in canonical form.
http://docs.splunk.com/Documentation/Splunk/7.1.2/RESTREF/RESTkvstore#CIDR

Until now we used field type string
field.netrange = string

I created a new collection for testing with
field.netrange = cidr
and transferred the content with | inputlookup | outputlookup

But upon inspection | inputlookup

I still observe the previous non-canonical IP ranges like 2001:620:2000::/48

Did I do something wrong?

What is the benefit of using the field type cidr when there are no changes?

stephaniem_splu
Splunk Employee
Splunk Employee

There is no additional benefit. CIDR is implicit: https://docs.splunk.com/Documentation/Splunk/6.3.1/RESTREF/RESTkvstore

0 Karma

mathiask
Communicator

I am not sure if I understand this correctly
According to the documentation the field using field.cidr should be converted to a canonical CIDR address
https://docs.splunk.com/Documentation/Splunk/7.2.5/RESTREF/RESTkvstore#CIDR

Could you sort elaborate on what you mean with implicit?

0 Karma

nickhills
Ultra Champion

2001:620:2000::/48 is already a canonical address.
(I think its clearer with IPv4)
172.16.14.0/24 is also a canonical address
172.16.14.34 is NOT a canonical address, so this would be converted to its canonical version which would be:
172.16.14.34/32

If my comment helps, please give it a thumbs up!

vsingla1
Communicator

I have the same issue. @mathiask Did you ever get to resolve this issue? If so, Can you please share your solution here.

0 Karma

mathiask
Communicator

Sadly, I did not further investigate or resolve this issue yet.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...