Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Lookup cidrtomatch for loop

hackerkor
Observer
‎07-19-2022 09:46 PM

I have a lookup with IP addresses (CIDR), I need to find the intersection of IP addresses. There is a command in splunk called cidrtomatch. I need all fields where there is an intersection in the same table to make a checkmark. In the field notes - equate to 1.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 10:22 PM

Do you mean cidrmatch() comparison function? Or the CIDR match type in the lookup definition?

Can you explain which "table" you are referring to?

What have you tried so far?

0 Karma
Reply

hackerkor
Observer
‎07-20-2022 08:40 PM

Yes, you're right I'm referring to the cidrmatch() function.
I have a table with a CIDR. I need to find the intersections between them. That is, if one subnet is part of another, I have to make a mark in the database.

I don't know how to go through the whole CIDR column in lookup and go through everything.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 12:56 AM

To convert CIDR format to lower and upper bounds, try something like this

| rex field=cidr "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)\.(?<ip4>\d+)/(?<bits>\d+)"
| eval lower=((ip1 * 256 + ip2) * 256 + ip3) * 256 + ip4
| eval upper=lower+pow(2,32-bits)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 12:32 AM

I am not sure which database you are referring to. Having said that, I am not sure whether this will work, but you could try this approach.

CIDR format effectively represents a range of values. These values are effectively 32-bit values (assuming IPv4). If you convert the lower bound of the CIDR to an integer and calculate the upper bound, you might be able to do this to identify where the overlaps are.

Here is a runanywhere example demonstrating the approach. lower <= range < upper

| makeresults count=5
| streamstats count as lower
| eval upper=lower*2
| eval values=mvrange(lower,upper)
| stats count values(lower) as intersection by values
| where count > 1

 

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...