I have a lookup with IP addresses (CIDR), I need to find the intersection of IP addresses. There is a command in splunk called cidrtomatch. I need all fields where there is an intersection in the same table to make a checkmark. In the field notes - equate to 1.
Do you mean cidrmatch() comparison function? Or the CIDR match type in the lookup definition?
Can you explain which "table" you are referring to?
What have you tried so far?
Yes, you're right I'm referring to the cidrmatch() function.
I have a table with a CIDR. I need to find the intersections between them. That is, if one subnet is part of another, I have to make a mark in the database.
I don't know how to go through the whole CIDR column in lookup and go through everything.
To convert CIDR format to lower and upper bounds, try something like this
| rex field=cidr "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)\.(?<ip4>\d+)/(?<bits>\d+)"
| eval lower=((ip1 * 256 + ip2) * 256 + ip3) * 256 + ip4
| eval upper=lower+pow(2,32-bits)
I am not sure which database you are referring to. Having said that, I am not sure whether this will work, but you could try this approach.
CIDR format effectively represents a range of values. These values are effectively 32-bit values (assuming IPv4). If you convert the lower bound of the CIDR to an integer and calculate the upper bound, you might be able to do this to identify where the overlaps are.
Here is a runanywhere example demonstrating the approach. lower <= range < upper
| makeresults count=5
| streamstats count as lower
| eval upper=lower*2
| eval values=mvrange(lower,upper)
| stats count values(lower) as intersection by values
| where count > 1