Solved: Using CIDRMatch with a lookup of range IP

aymane96 · ‎11-10-2022

Hello community,

I have a query returning result with an IP address value (src_ip).

I used to add a line to match some Range IP :

| where cidrmatch("Range IP", src_ip)

Now I have many other range IP to add. Instead of adding many lines, I created a CSV lookup with all these ranges.

range_ip    |  comment 
-----------------------
10.0.0.0/8  |  range1
11.0.0.0/8  |  range2
12.0.0.0/8  |  range3

Do you have any idea how can I filter my result using CIDRMATCH function and based on range_ip column of my lookup CSV.

Something like :

| where cidrmatch( range_ip IN lookup.csv, src_ip)

Thanks

starcher · ‎11-10-2022

You cannot use the CIDRMATCH feature of lookups without properly defining the lookup. Doing it as a CSV will not work. You need to setup the transforms name and associated feature like CIDR match type. Then use the lookup AS a lookup not a list.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Knowledge/Addfieldmatchingrulestoyourlookupconfig...

View solution in original post

starcher · ‎11-10-2022

You cannot use the CIDRMATCH feature of lookups without properly defining the lookup. Doing it as a CSV will not work. You need to setup the transforms name and associated feature like CIDR match type. Then use the lookup AS a lookup not a list.

https://docs.splunk.com/Documentation/Splunk/9.0.1/Knowledge/Addfieldmatchingrulestoyourlookupconfig...

aymane96 · ‎11-10-2022

Hello @starcher

Thank you so much, it works like a charm.

I used the lookup definition based on my CSV and specified the matchtype as CIDR.

Many thanks

Using CIDRMatch with a lookup of range IP

lookup

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!