eval case/cidrmatch using two fields as a conditio...

whitefang1726 · ‎03-10-2020

How can I use cidrmatch or case using 2 conditions?

Example: I only want to get list of IPs where row_A is 11.0.0.0/24 and row_B is 8.8.8.0/24

Current Table:
row_A row_B
10.0.0.1 11.0.0.1
10.0.0.2 12.0.0.1
11.0.0.1 8.8.8.8
11.0.0.2 8.8.8.9
12.0.0.1 8.8.8.8
12.0.0.2 8.8.8.9

Target Result:
row_A row_B
11.0.0.1 8.8.8.8
11.0.0.2 8.8.8.9

Thanks!

manjunathmeti · ‎03-10-2020

hi @whitefang1726,

Use where command like this:

| where cidrmatch("11.0.0.0/24", row_A) and cidrmatch("8.8.8.0/24", row_B)

Smaple query:

| makeresults 
| eval _raw=" row_A row_B
10.0.0.1 11.0.0.1
10.0.0.2 12.0.0.1
11.0.0.1 8.8.8.8
11.0.0.2 8.8.8.9
12.0.0.1 8.8.8.8
12.0.0.2 8.8.8.9" 
| multikv forceheader=1 
| where cidrmatch("11.0.0.0/24", row_A) and cidrmatch("8.8.8.0/24", row_B)
| fields - _raw, _time, linecount

eval case/cidrmatch using two fields as a condition

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation