Splunk Search

Show IP addresses not matching CIDR ranges in lookup table

splunklearner12
Path Finder

I have a list of CIDR ranges in a single column with name Prefix in a csv file. I only want to show events with source IPs (sIP) that are not in any of those ranges. My lookup definition for cidr_lookup is as follows:
minimum matches: 1
default matches: "NONE"
Match type: match_type = CIDR(Prefix)

I tried this search and lots of others I found online:

| lookup cidr_lookup Prefix as sIP OUTPUT Prefix as cidr_range
| where cidr_range= "NONE"

I get an error saying:

basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0)

I know that most events contain IPs that are in one of the ranges in the lookup file.
Can you help me use my lookup file correctly?

0 Karma
1 Solution

splunklearner12
Path Finder

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

View solution in original post

0 Karma

splunklearner12
Path Finder

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...