Solved: Show IP addresses not matching CIDR ranges in look...

splunklearner12 · ‎06-05-2019

I have a list of CIDR ranges in a single column with name Prefix in a csv file. I only want to show events with source IPs (sIP) that are not in any of those ranges. My lookup definition for cidr_lookup is as follows:
minimum matches: 1
default matches: "NONE"
Match type: match_type = CIDR(Prefix)

I tried this search and lots of others I found online:

| lookup cidr_lookup Prefix as sIP OUTPUT Prefix as cidr_range
| where cidr_range= "NONE"

I get an error saying:

basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0)

I know that most events contain IPs that are in one of the ranges in the lookup file.
Can you help me use my lookup file correctly?

splunklearner12 · ‎06-06-2019

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

View solution in original post

splunklearner12 · ‎06-06-2019

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

Show IP addresses not matching CIDR ranges in lookup table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life