Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: result-depending cidrmatch between two lookups...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Result-depending cidrmatch between two lookups?
Hello,
I've been searching the internet for quite a while. But can't find any approach.
I have a primary search that looks for IP networks in a CSV based on various parameters, such as location (inputlookup), and then creates a CIDR including the bit length of the subnet mask.
Based on this search, I want to search for IPs in a second table.
In principle, I have already implemented this in a (initially poor) solution by using a token that I pass from one search to the other and then use a CIDRMATCH there. This works fine as long as I only have a one-to-one search result in the first search
Now I have the problem that the first search returns multiple results (e.g. multiple subnets at one location) and I want to search for matching IPs in the second CSV for all found subnets.
This is what the first search (already defined as base search) looks like:
<search id="base">
<query>
| inputlookup list_of_subnet_sand_sites
| search City="*" Street="*" NetIP="10.5.*.*"
| rename NetMask AS mask
| lookup ip_mask_prefix.csv mask OUTPUT prefix
| rename mask AS NetMask
| eval CIDRNet_mv = mvappend(NetIP , "/", prefix)
| eval CIDRNet = mvjoin(CIDRNet_mv, "")
</query>
<done>
<set token="CIDR_tok">$result.CIDRNet$</set>
</done>
</search>
The first search displays perhaps 25 different IP subnets.
And the second search is (Currently I don't make use of the BS, but I want to).
<search>
<query>
| inputlookup list_of_devices
| where cidrmatch("$CIDR_tok$", devIP)
| sort devIP
</query>
</search>
I tried already something with subsearches, lookups, append and appendpipe.
Thank you all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (workaround, dynamically generating where clause with cidrmatch filters):
| inputlookup list_of_devices
| where cidrmatch("$CIDR_tok$", devIP)
| where [| inputlookup list_of_subnet_sand_sites
| search City="*" Street="*" NetIP="10.5.*.*"
| rename NetMask AS mask
| lookup ip_mask_prefix.csv mask OUTPUT prefix
| rename mask AS NetMask
| eval CIDRNet_mv = mvappend(NetIP , "/", prefix)
| eval CIDRNet = mvjoin(CIDRNet_mv, "")
| eval search="cidrmatch(\"".CIDRNet."\",devIP)"
| table search
| format "" "" "" "" "OR" ""
| eval search=replace(replace(replace(search,"\\\\",""),"\"c","c"),"\)\"",")")
]
| sort devIP
You could also create a new lookup with lookup definition of cidrmatch and use that to filter records. See this for reference: https://splunkonbigdata.com/cidr-lookup-in-splunk/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, I will try this approach. Currently I am having some issues with malformed "where" commands. I will leave an update when I got further.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
