Splunk Search

Show IP addresses not matching CIDR ranges in lookup table

splunklearner12
Path Finder

I have a list of CIDR ranges in a single column with name Prefix in a csv file. I only want to show events with source IPs (sIP) that are not in any of those ranges. My lookup definition for cidr_lookup is as follows:
minimum matches: 1
default matches: "NONE"
Match type: match_type = CIDR(Prefix)

I tried this search and lots of others I found online:

| lookup cidr_lookup Prefix as sIP OUTPUT Prefix as cidr_range
| where cidr_range= "NONE"

I get an error saying:

basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0)

I know that most events contain IPs that are in one of the ranges in the lookup file.
Can you help me use my lookup file correctly?

0 Karma
1 Solution

splunklearner12
Path Finder

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

View solution in original post

0 Karma

splunklearner12
Path Finder

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...