Solved: Comparison with lookup cidrmatch?

bosseres · ‎12-26-2022

Hello everyone,

I got several fields in search result (name, ip_src). Now I have lookup with 2 columns:

name	subnet
name1	10.10.10.1/24
name2	10.20.10.1/24
name3	10.20.10.1/24

I need firstly find by name corresponding subnet (for example I got in search result "name1" in field name, there is subnet 10.10.10.1/24) and next compare if src_ip of this name matches subnet.

Thank you for your help in advance

richgalloway · ‎12-27-2022

You can lookup a name in the lookup file and get the subnet back by using the lookup command.

<<your search>>
| lookup mylookup.csv name OUTPUT subnet

Test if a given field matches the subnet by using the cidrmatch function.

| eval match=if(cidrmatch(subnet, src_ip), "match", "nomatch")

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎12-27-2022

You can lookup a name in the lookup file and get the subnet back by using the lookup command.

<<your search>>
| lookup mylookup.csv name OUTPUT subnet

Test if a given field matches the subnet by using the cidrmatch function.

| eval match=if(cidrmatch(subnet, src_ip), "match", "nomatch")

---
If this reply helps you, Karma would be appreciated.

bosseres · ‎12-28-2022

thank you, very much

Comparison with lookup cidrmatch?

fields

join

lookup

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!