Let's say I'm trying to search for events where src_ip field matches some subnet:
search index=myindex src_ip="220.127.116.11/16"
This works perfectly. Now I want to run a similar search, but for IPv6 subnet:
search index=myindex src_ip6="1234:5678::/32"
This does NOT work. However, cidrmatch() function in "where" command works for both IPv4 and IPv6, so I consider search behaviour described above to be a bug.
Is this a known issue for Splunk developers? Is there a way to workaround this without using cidrmatch()?
P.S. Is it OK to report bugs here at splunkbase? I didn't found the Splunk bugtracker...
While lookups and the cidrmatch function work with IPv6 CIDR notation, a direct search (similar to your first one with IPv4) does not. It is a known internal requirement that will be tentatively solved in a future release.