Splunk Search

CIDR match not working on Splunk 8.X

duartet
Path Finder

Hi,

We have been migrating objects from Splunk 7.3.9 to Splunk 8.X and have found some strange issue, hope someone has a clue.

So basically we have a lookup file with a definition using cidr match.

The csv contains, among other fields, an ip, cidr and subnet columns.

Ex:

ipcidrsubnet
10.1.1.210.1.1.2/3210.1.1.0/24

 

This is on "Lookup Definition" match type:

CIDR(cidr)

 

However if I try to do this simple query:

| makeresults
| eval ip="10.1.1.2"
| table ip
| lookup <lookup_name> cidr as ip OUTPUT subnet, it doesn't work.

The exact same thing is working properly in splunk 7.3.9.

Any clue?

 

Kind regards,

Tiago

Labels (1)
0 Karma

marand
Explorer

I had the same problem with the maxmind build int asn_lookup_by_cidr.

Turns out the lookup file is too large. I copied the lookup file with a subset of data and created a new lookup definition unsine match_type=CIDR

| inputlookup asn_lookup_by_cidr | head 100000
| rename ip AS sub
| outputlookup asn_lookup_by_cidr_fix.csv

When I reached the 400K mark the lookup stopped working.
Raising the max_memtable_bytes value in limits.conf should fix it.

Tags (2)
0 Karma

maciep
Champion

I just tried with 8.1.3 and wasn't able to reproduce.  Also didn't see anything in the release notes about that. Can you reproduce with a new lookup as a quick test?  

can you lookup by ip instead of cidr, just to make sure the lookup works in general?  could there be anything annoying like whitespace in the cidr field?  may be worth diving into props/transforms to ensure nothing got moved/modified/overwritten during the upgrade?

0 Karma

duartet
Path Finder

Hi, 

So basically I have tested this in 3 different Splunk SHs. One with 7.3.9 where all is working fine, another with 8.0.4.1 with same configurations (csv and lookup definition) , and another with 8.0.8, that I have upgraded to 8.1.3, also with same configuration.

I have tried before matching directly with IP and it works, but not with cidr field. There's no extra whitespaces, the same lookup works properly on 7.3.9 matching cidr field. 

I have configured the lookup fresh via gui on both Splunk 8.X SHs and it didn't work anyway.

Tried in search time use the cidrmatch function and it works.

So basically the only thing not working is CIDR in lookup definition.

Hope this clarifies.

 

Thanks 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...