Splunk Search

Why is the lookup for CIDR table not working?

ng87
Path Finder

I have been trying to create a basic lookup within Splunk where we can search an IP and get back some information.The csv i have is a list of all our various subnets alongside some other information . For example

Range               Info
x.x.x.x/24        CountryA
x.x.x.0/28        CountryB
10.10.10.0/22 CountryA_PrivateLan

I have added this config to the local app's transforms file :

[network_ranges]
filename = network_ranges.csv
min_matches = 1
default_match = NONE
match_type = CIDR(Range)

If I do the below search I get 0 results

|inputlookup network_rangeswhere where Range=10.10.10.10

The only way I get any results is if I match exactly the CIDR string which obviously isn't helpful.

Any help would be greatly appreciated

PS. At the moment this is just to be used to find further information for specific IP's, no short-term plans to use this information in 'traditional' search results

0 Karma
1 Solution

Ayn
Legend

I think you may have misunderstood how the CIDR matching on lookups works.

First of all inputlookup is just a way to read stuff from a lookup file and make the fields in that file available to the rest of the search pipeline. The where argument only provides basic filtering capabilities. The CIDR match applies when using the lookup command (or if the lookup is performed implicitly). You'd match it against specified data from a search pipeline, and Splunk would compare the IP address provided in the data to the CIDR ranges defined in the lookup to see if the IP belongs to any of them.

If you don't have any data to match against but just want to specify an IP that is matched using CIDR, you could do something like

     | makeresults | eval ip=10.10.10.10 | lookup network_ranges Range as ip OUTPUT Info | table ip Info

View solution in original post

0 Karma

Ayn
Legend

I think you may have misunderstood how the CIDR matching on lookups works.

First of all inputlookup is just a way to read stuff from a lookup file and make the fields in that file available to the rest of the search pipeline. The where argument only provides basic filtering capabilities. The CIDR match applies when using the lookup command (or if the lookup is performed implicitly). You'd match it against specified data from a search pipeline, and Splunk would compare the IP address provided in the data to the CIDR ranges defined in the lookup to see if the IP belongs to any of them.

If you don't have any data to match against but just want to specify an IP that is matched using CIDR, you could do something like

     | makeresults | eval ip=10.10.10.10 | lookup network_ranges Range as ip OUTPUT Info | table ip Info

View solution in original post

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!