Solved: Is there a way to choose the smaller subnet that c...

joock3r · ‎02-14-2023

Hi,

I have a lookup definition that look like that:

When I'm running this search with looking up in this lookup difinition, I'm getting the wider subnet.

index="FW" action=allowed src_ip=10.0.0.1 sourcetype=fw
| lookup ipam subnet AS src_ip OUTPUT subnet AS "Source Subnet"
| table src_ip "Source Subnet" dest_ip Service Protocol app Rule Device _time 
| sort 0 -_time

The ipam lookup contains amount of subnets that contatining each other (for example 10.0.0.0/16, 10.0.0.0/24).

The results that I'm getting is for the wider subnet, in my example - 10.0.0.0/16.

Is there a way to choose the smaller subnet that contains the src_ip?

Thanks 🙂

richgalloway · ‎02-14-2023

Lookup always return the first match. Edit the lookup to put the smaller subnets before the larger ones.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-14-2023

Lookup always return the first match. Edit the lookup to put the smaller subnets before the larger ones.

---
If this reply helps you, Karma would be appreciated.

Is there a way to choose the smaller subnet that contains the src_ip?

subsearch

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform