I have more than 40 class B subnets in my geographically dispersed enterprise.
I would like to create a lookup for my companly subnets so that when I do searches on firewall and IDS data I can exclude or include company to and from IP's using the cidr notation for the Class B subnets. the reason I want to use Cidr is because I have a few superneted class B groups with a /14 cidr designation.
I have a search like this:
index=firewall action!=deny source_zone_name="Untrust"
| stats count by source_address
This search is not filtering out the subnets identified with the Cidr notation.
Do I have to do something special to get Splunk to recognize the notation?