Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Lookup cidrtomatch for loop

hackerkor
Observer
‎07-19-2022 09:46 PM

I have a lookup with IP addresses (CIDR), I need to find the intersection of IP addresses. There is a command in splunk called cidrtomatch. I need all fields where there is an intersection in the same table to make a checkmark. In the field notes - equate to 1.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 10:22 PM

Do you mean cidrmatch() comparison function? Or the CIDR match type in the lookup definition?

Can you explain which "table" you are referring to?

What have you tried so far?

0 Karma
Reply

hackerkor
Observer
‎07-20-2022 08:40 PM

Yes, you're right I'm referring to the cidrmatch() function.
I have a table with a CIDR. I need to find the intersections between them. That is, if one subnet is part of another, I have to make a mark in the database.

I don't know how to go through the whole CIDR column in lookup and go through everything.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 12:56 AM

To convert CIDR format to lower and upper bounds, try something like this

| rex field=cidr "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)\.(?<ip4>\d+)/(?<bits>\d+)"
| eval lower=((ip1 * 256 + ip2) * 256 + ip3) * 256 + ip4
| eval upper=lower+pow(2,32-bits)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-21-2022 12:32 AM

I am not sure which database you are referring to. Having said that, I am not sure whether this will work, but you could try this approach.

CIDR format effectively represents a range of values. These values are effectively 32-bit values (assuming IPv4). If you convert the lower bound of the CIDR to an integer and calculate the upper bound, you might be able to do this to identify where the overlaps are.

Here is a runanywhere example demonstrating the approach. lower <= range < upper

| makeresults count=5
| streamstats count as lower
| eval upper=lower*2
| eval values=mvrange(lower,upper)
| stats count values(lower) as intersection by values
| where count > 1

 

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...