Solved: Comparison with lookup cidrmatch?

bosseres · ‎12-26-2022

Hello everyone,

I got several fields in search result (name, ip_src). Now I have lookup with 2 columns:

name	subnet
name1	10.10.10.1/24
name2	10.20.10.1/24
name3	10.20.10.1/24

I need firstly find by name corresponding subnet (for example I got in search result "name1" in field name, there is subnet 10.10.10.1/24) and next compare if src_ip of this name matches subnet.

Thank you for your help in advance

richgalloway · ‎12-27-2022

You can lookup a name in the lookup file and get the subnet back by using the lookup command.

<<your search>>
| lookup mylookup.csv name OUTPUT subnet

Test if a given field matches the subnet by using the cidrmatch function.

| eval match=if(cidrmatch(subnet, src_ip), "match", "nomatch")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-27-2022

You can lookup a name in the lookup file and get the subnet back by using the lookup command.

<<your search>>
| lookup mylookup.csv name OUTPUT subnet

Test if a given field matches the subnet by using the cidrmatch function.

| eval match=if(cidrmatch(subnet, src_ip), "match", "nomatch")

---
If this reply helps you, Karma would be appreciated.

bosseres · ‎12-28-2022

thank you, very much

Comparison with lookup cidrmatch?

fields

join

lookup

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!