Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CIDR type lookup and matching the most specific prefix

rafajot
Explorer
‎08-02-2017 07:01 AM

I would like to make a CIDR type lookup that matches only the most specific prefix. For example if there is lookup table with 165.225.0.0/17 and 165.225.68.0/24 prefixes then 165.225.68.64 should be matched only against /24 prefix.

In the past I thought that was default Splunk behavior but either I was wrong (most likely) or the Splunk behavior has changed over time (less likely).

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎08-15-2017 02:05 PM

The way lookup files work is we will read the file until max_matches has been satisfied. If the file is sorted by reverse mask bits /32 /31 etc and max_matches=1 then this will appear to work. So long as only one row for a given cidr is expected.

Lines #27 in this macro has an example https://bitbucket.org/SPLServices/seckit_sa_idm_common/src/f1abb1c9099be10a613c160a4b0d88088c0899c4/...

0 Karma
Reply

rafajot
Explorer
‎08-07-2017 01:53 AM

It looks like generating lookup table with prefixes sorted by prefix size (so /24 should occur before /17) is a solution to this problem. So far it seems to work for all prefixes I checked (and I checked around 12 000 IPs against their BGP prefixes). However it would be good to have confirmation in Splunk documentation that this is expected Splunk behaviour.

What I have been able to find is that "The Splunk software processes lookups belonging to a specific host, source, or source type in ASCII sort order." https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Aboutlookupsandfieldactions

My understanding is that in such case if there is 61.31.236.1 tested against lookup where two prefixes exist: 61.31.224.0/20 61.31.236.0/24 it should be matched to 61.31.224.0/20 (as it is first in sorting order). However if the lookup is sorted by network size it is actually being matched to 61.31.236.0/24 which is good from the point of view of described problem but I'm not quite sure if it's aligned with above-mentioned documentation.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...