I would like to make a CIDR type lookup that matches only the most specific prefix. For example if there is lookup table with 165.225.0.0/17 and 165.225.68.0/24 prefixes then 165.225.68.64 should be matched only against /24 prefix.
In the past I thought that was default Splunk behavior but either I was wrong (most likely) or the Splunk behavior has changed over time (less likely).
The way lookup files work is we will read the file until max_matches has been satisfied. If the file is sorted by reverse mask bits /32 /31 etc and max_matches=1 then this will appear to work. So long as only one row for a given cidr is expected.
Lines #27 in this macro has an example https://bitbucket.org/SPLServices/seckit_sa_idm_common/src/f1abb1c9099be10a613c160a4b0d88088c0899c4/...
It looks like generating lookup table with prefixes sorted by prefix size (so /24 should occur before /17) is a solution to this problem. So far it seems to work for all prefixes I checked (and I checked around 12 000 IPs against their BGP prefixes). However it would be good to have confirmation in Splunk documentation that this is expected Splunk behaviour.
What I have been able to find is that "The Splunk software processes lookups belonging to a specific host, source, or source type in ASCII sort order." https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Aboutlookupsandfieldactions
My understanding is that in such case if there is 61.31.236.1 tested against lookup where two prefixes exist: 61.31.224.0/20 61.31.236.0/24 it should be matched to 61.31.224.0/20 (as it is first in sorting order). However if the lookup is sorted by network size it is actually being matched to 61.31.236.0/24 which is good from the point of view of described problem but I'm not quite sure if it's aligned with above-mentioned documentation.