Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CIDR match not working on Splunk 8.X

duartet
Path Finder
‎04-14-2021 06:18 AM

Hi,

We have been migrating objects from Splunk 7.3.9 to Splunk 8.X and have found some strange issue, hope someone has a clue.

So basically we have a lookup file with a definition using cidr match.

The csv contains, among other fields, an ip, cidr and subnet columns.

Ex:

ipcidrsubnet
10.1.1.210.1.1.2/3210.1.1.0/24

 

This is on "Lookup Definition" match type:

CIDR(cidr)

 

However if I try to do this simple query:

| makeresults
| eval ip="10.1.1.2"
| table ip
| lookup <lookup_name> cidr as ip OUTPUT subnet, it doesn't work.

The exact same thing is working properly in splunk 7.3.9.

Any clue?

 

Kind regards,

Tiago

Labels (1)
Labels
0 Karma
Reply

marand
Explorer
‎10-19-2021 06:43 AM

I had the same problem with the maxmind build int asn_lookup_by_cidr.

Turns out the lookup file is too large. I copied the lookup file with a subset of data and created a new lookup definition unsine match_type=CIDR

| inputlookup asn_lookup_by_cidr | head 100000
| rename ip AS sub
| outputlookup asn_lookup_by_cidr_fix.csv

When I reached the 400K mark the lookup stopped working.
Raising the max_memtable_bytes value in limits.conf should fix it.

Tags (2)
0 Karma
Reply

maciep
Champion
‎04-17-2021 06:09 AM

I just tried with 8.1.3 and wasn't able to reproduce.  Also didn't see anything in the release notes about that. Can you reproduce with a new lookup as a quick test?  

can you lookup by ip instead of cidr, just to make sure the lookup works in general?  could there be anything annoying like whitespace in the cidr field?  may be worth diving into props/transforms to ensure nothing got moved/modified/overwritten during the upgrade?

0 Karma
Reply

duartet
Path Finder
‎04-18-2021 02:54 AM

Hi, 

So basically I have tested this in 3 different Splunk SHs. One with 7.3.9 where all is working fine, another with 8.0.4.1 with same configurations (csv and lookup definition) , and another with 8.0.8, that I have upgraded to 8.1.3, also with same configuration.

I have tried before matching directly with IP and it works, but not with cidr field. There's no extra whitespaces, the same lookup works properly on 7.3.9 matching cidr field. 

I have configured the lookup fresh via gui on both Splunk 8.X SHs and it didn't work anyway.

Tried in search time use the cidrmatch function and it works.

So basically the only thing not working is CIDR in lookup definition.

Hope this clarifies.

 

Thanks 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...