|inputlookup demo.csv
| eval ip = "xx.xxx.xxx.xxx" ```Enter IP address you the Match```
| eval result=if(cidrmatch(ip_range, ip), "true", "false")
| search result="true"

i am using above spl to return result for the ip address associated with the IP range in lookup table. this work fine.

I want do same thing when index=main has field ip which contains IP address. I need to invoke cidrmatch out result assiate with same iprange. how do modifiy my SPL. SINCE lookup table and my index info has nothing in common other than Ip field i have and lookup table has ip tange info. Is there way i can use lookup cammand do this?

Thanks

Yes, you need to make a lookup DEFINITION based on the lookup file. In the advanced options for the definition add CIDR(ip_range)

In your SPL you do

index=main
| lookup definition_name ip_range as ip OUTPUT ip_range as found

then you will have the found field as your range if the IP is found or null if not found

so you can do this

| where isnotnull(found)

which will find those that match the range.

Hi,

I hope someone can help me, In my case the lookup has a CIDR definition, but the lookup is not matching and I know there is a least one match

this is my line:

| lookup file.csv network AS ip OUTPUT network AS sub_xarxa

thanks in advance

Hi @alberto-sirt,

As @bowesmana said you need to use a lookup definition instead of querying the lookup file itself. You can refer to this example: https://docs.splunk.com/Documentation/Splunk/9.2.2/Knowledge/Addfieldmatchingrulestoyourlookupconfig....

Your lookup command is looking up file.csv, which is NOT the definition.

The lookup file contains the data, the lookup definition is the lens through which you interpret the data in the file.

Thanks very much. It is solve now.