Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is the lookup for CIDR table not working?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been trying to create a basic lookup within Splunk where we can search an IP and get back some information.The csv i have is a list of all our various subnets alongside some other information . For example
Range Info
x.x.x.x/24 CountryA
x.x.x.0/28 CountryB
10.10.10.0/22 CountryA_PrivateLan
I have added this config to the local app's transforms file :
[network_ranges]
filename = network_ranges.csv
min_matches = 1
default_match = NONE
match_type = CIDR(Range)
If I do the below search I get 0 results
|inputlookup network_rangeswhere where Range=10.10.10.10
The only way I get any results is if I match exactly the CIDR string which obviously isn't helpful.
Any help would be greatly appreciated
PS. At the moment this is just to be used to find further information for specific IP's, no short-term plans to use this information in 'traditional' search results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you may have misunderstood how the CIDR matching on lookups works.
First of all inputlookup is just a way to read stuff from a lookup file and make the fields in that file available to the rest of the search pipeline. The where argument only provides basic filtering capabilities. The CIDR match applies when using the lookup command (or if the lookup is performed implicitly). You'd match it against specified data from a search pipeline, and Splunk would compare the IP address provided in the data to the CIDR ranges defined in the lookup to see if the IP belongs to any of them.
If you don't have any data to match against but just want to specify an IP that is matched using CIDR, you could do something like
| makeresults | eval ip=10.10.10.10 | lookup network_ranges Range as ip OUTPUT Info | table ip Info
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you may have misunderstood how the CIDR matching on lookups works.
First of all inputlookup is just a way to read stuff from a lookup file and make the fields in that file available to the rest of the search pipeline. The where argument only provides basic filtering capabilities. The CIDR match applies when using the lookup command (or if the lookup is performed implicitly). You'd match it against specified data from a search pipeline, and Splunk would compare the IP address provided in the data to the CIDR ranges defined in the lookup to see if the IP belongs to any of them.
If you don't have any data to match against but just want to specify an IP that is matched using CIDR, you could do something like
| makeresults | eval ip=10.10.10.10 | lookup network_ranges Range as ip OUTPUT Info | table ip Info
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
