Splunk Search
Highlighted

Show IP addresses not matching CIDR ranges in lookup table

Path Finder

I have a list of CIDR ranges in a single column with name Prefix in a csv file. I only want to show events with source IPs (sIP) that are not in any of those ranges. My lookup definition for cidrlookup is as follows:
minimum matches: 1
default matches: "NONE"
Match type: `match
type = CIDR(Prefix)`

I tried this search and lots of others I found online:

| lookup cidr_lookup Prefix as sIP OUTPUT Prefix as cidr_range
| where cidr_range= "NONE"

I get an error saying:

basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0)

I know that most events contain IPs that are in one of the ranges in the lookup file.
Can you help me use my lookup file correctly?

0 Karma
Highlighted

Re: Show IP addresses not matching CIDR ranges in lookup table

Path Finder

I managed to make it work using advice found here: https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Basically, I had to edit transforms.conf - I thought I could achieve the same result using the web UI lookup definition but no.

View solution in original post

0 Karma