Splunk Search

Comparison with lookup cidrmatch?

bosseres
Contributor

Hello everyone, 

I got several fields in search result (name, ip_src). Now I have lookup with 2 columns:

name subnet
name1

10.10.10.1/24

name2

10.20.10.1/24

name3

10.20.10.1/24

 

I need firstly find by name corresponding subnet (for example I got in search result "name1" in field name, there is subnet 10.10.10.1/24) and next compare if src_ip of this name matches subnet.

Thank you for your help in advance

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can lookup a name in the lookup file and get the subnet back by using the lookup command.

<<your search>>
| lookup mylookup.csv name OUTPUT subnet

Test if a given field matches the subnet by using the cidrmatch function.

| eval match=if(cidrmatch(subnet, src_ip), "match", "nomatch")

 

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You can lookup a name in the lookup file and get the subnet back by using the lookup command.

<<your search>>
| lookup mylookup.csv name OUTPUT subnet

Test if a given field matches the subnet by using the cidrmatch function.

| eval match=if(cidrmatch(subnet, src_ip), "match", "nomatch")

 

 

---
If this reply helps you, Karma would be appreciated.

bosseres
Contributor

thank you, very much

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...