Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

CIDR type lookup and matching the most specific prefix

rafajot
Explorer
‎08-02-2017 07:01 AM

I would like to make a CIDR type lookup that matches only the most specific prefix. For example if there is lookup table with 165.225.0.0/17 and 165.225.68.0/24 prefixes then 165.225.68.64 should be matched only against /24 prefix.

In the past I thought that was default Splunk behavior but either I was wrong (most likely) or the Splunk behavior has changed over time (less likely).

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎08-15-2017 02:05 PM

The way lookup files work is we will read the file until max_matches has been satisfied. If the file is sorted by reverse mask bits /32 /31 etc and max_matches=1 then this will appear to work. So long as only one row for a given cidr is expected.

Lines #27 in this macro has an example https://bitbucket.org/SPLServices/seckit_sa_idm_common/src/f1abb1c9099be10a613c160a4b0d88088c0899c4/...

0 Karma
Reply

rafajot
Explorer
‎08-07-2017 01:53 AM

It looks like generating lookup table with prefixes sorted by prefix size (so /24 should occur before /17) is a solution to this problem. So far it seems to work for all prefixes I checked (and I checked around 12 000 IPs against their BGP prefixes). However it would be good to have confirmation in Splunk documentation that this is expected Splunk behaviour.

What I have been able to find is that "The Splunk software processes lookups belonging to a specific host, source, or source type in ASCII sort order." https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Aboutlookupsandfieldactions

My understanding is that in such case if there is 61.31.236.1 tested against lookup where two prefixes exist: 61.31.224.0/20 61.31.236.0/24 it should be matched to 61.31.224.0/20 (as it is first in sorting order). However if the lookup is sorted by network size it is actually being matched to 61.31.236.0/24 which is good from the point of view of described problem but I'm not quite sure if it's aligned with above-mentioned documentation.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...