Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to Lookup cidrtomatch for loop

hackerkor
Observer
‎07-19-2022 09:46 PM

I have a lookup with IP addresses (CIDR), I need to find the intersection of IP addresses. There is a command in splunk called cidrtomatch. I need all fields where there is an intersection in the same table to make a checkmark. In the field notes - equate to 1.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 10:22 PM

Do you mean cidrmatch() comparison function? Or the CIDR match type in the lookup definition?

Can you explain which "table" you are referring to?

What have you tried so far?

0 Karma
Reply

hackerkor
Observer
‎07-20-2022 08:40 PM

Yes, you're right I'm referring to the cidrmatch() function.
I have a table with a CIDR. I need to find the intersections between them. That is, if one subnet is part of another, I have to make a mark in the database.

I don't know how to go through the whole CIDR column in lookup and go through everything.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 12:56 AM

To convert CIDR format to lower and upper bounds, try something like this

| rex field=cidr "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)\.(?<ip4>\d+)/(?<bits>\d+)"
| eval lower=((ip1 * 256 + ip2) * 256 + ip3) * 256 + ip4
| eval upper=lower+pow(2,32-bits)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 12:32 AM

I am not sure which database you are referring to. Having said that, I am not sure whether this will work, but you could try this approach.

CIDR format effectively represents a range of values. These values are effectively 32-bit values (assuming IPv4). If you convert the lower bound of the CIDR to an integer and calculate the upper bound, you might be able to do this to identify where the overlaps are.

Here is a runanywhere example demonstrating the approach. lower <= range < upper

| makeresults count=5
| streamstats count as lower
| eval upper=lower*2
| eval values=mvrange(lower,upper)
| stats count values(lower) as intersection by values
| where count > 1

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...