Solved: Show IP addresses not matching CIDR ranges in look...

splunklearner12 · ‎06-05-2019

I have a list of CIDR ranges in a single column with name Prefix in a csv file. I only want to show events with source IPs (sIP) that are not in any of those ranges. My lookup definition for cidr_lookup is as follows:
minimum matches: 1
default matches: "NONE"
Match type: match_type = CIDR(Prefix)

I tried this search and lots of others I found online:

| lookup cidr_lookup Prefix as sIP OUTPUT Prefix as cidr_range
| where cidr_range= "NONE"

I get an error saying:

basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0)

I know that most events contain IPs that are in one of the ranges in the lookup file.
Can you help me use my lookup file correctly?

splunklearner12 · ‎06-06-2019

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

View solution in original post

splunklearner12 · ‎06-06-2019

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

Show IP addresses not matching CIDR ranges in lookup table

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update