I'm attempting to use the address_in_network function to compare results of a Splunk query against a custom list, and use matches to remove items from action_results.data of a that query, so that the remainder of the query results are easily accessible in following blocks. I've got the logic of accessing action_results.data, the custom list, and address_in_network all figured out - but I'm having a hard time figuring out exactly how to either remove items directly from action_results.data, or return my list of IP addresses in a type that a filter block can make use of, so that later blocks could just access filtered-data directly.
My variable created for output, Build_IP_Whitelist__tofilter, is assigned a type of None in the code framework that I can't edit. I went ahead and cast it to a list and used append to build out that list, which returns without error from my custom function. The problem arises when I try to use that list for comparison in a following filter block:
@alexgkirk filters and decision blocks are CIDR aware (probably use the same API call).
So if I read right, you should be able to have the outputted field containing the IP from the splunk search in the top of 1st condition, then 'is in' as the operator, then the CIDR range of the network you're trying to see if the IP is in. You can also add as many network ranges as needed in the same condition by using the 'OR' option!
This way requires 0 custom code and the filtered data can be pulled into any downstream block.
Hope that helped?
@alexgkirk filters and decision blocks are CIDR aware (probably use the same API call).
So if I read right, you should be able to have the outputted field containing the IP from the splunk search in the top of 1st condition, then 'is in' as the operator, then the CIDR range of the network you're trying to see if the IP is in. You can also add as many network ranges as needed in the same condition by using the 'OR' option!
This way requires 0 custom code and the filtered data can be pulled into any downstream block.
Hope that helped?
I was not aware of this - it simplifies things tremendously, and works flawlessly over here as you've described. You even responded faster than I could finish lunch, bravo good sir.
Below is something I just tested on 4.9 to confirm. I setup a container with 5 ip's, 3 within the range i put in the container (192.16.0.0/16):