I have a list of CIDR ranges in a single column with name Prefix in a csv file. I only want to show events with source IPs (sIP) that are not in any of those ranges. My lookup definition for cidr_lookup is as follows:
minimum matches: 1
default matches: "NONE"
Match type: match_type = CIDR(Prefix)
I tried this search and lots of others I found online:
| lookup cidr_lookup Prefix as sIP OUTPUT Prefix as cidr_range
| where cidr_range= "NONE"
I get an error saying:
basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0)
I know that most events contain IPs that are in one of the ranges in the lookup file.
Can you help me use my lookup file correctly?
I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.
I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.