Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

not receiving any outcomes for CIDR IPs

hem03
Loves-to-Learn Lots
‎05-20-2024 05:01 AM

Hello community,

I aim to compare the 'src_ip' referenced below with the CIDR IP ranges in the lookup file 'zscalerip.csv' using the query provided. If there is a match, the result should be recorded as true in the 'Is_managed_device' field; otherwise, it should be marked as false. However, upon executing this query, I'm obtaining identical results for all IPs, irrespective of whether they match the CIDR range. 

I have created a new lookup definition for the lookup and implemented the following changes:-

Type = file-based
min_matches = 0
default_match = NONE
filename = zscalerip.csv
match_type = CIDR(CIDR)


CIDR IP range in lookup file :- 

CIDR
168.246.*.*
8.25.203.0/24
64.74.126.64/26
70.39.159.0/24
136.226.158.0/23




Splunk Query :-

| makeresults | eval src_ip="10.0.0.0 166.226.118.0 136.226.158.0 185.46.212.0 2a03:eec0:1411::"
| makemv delim=" " src_ip
| mvexpand src_ip
| lookup zscalerip.csv CIDR AS src_ip OUTPUT CIDR as CIDR_match
| eval Is_managed_device=if(cidrmatch(CIDR_match,src_ip), "true", "false")
| table src_ip Is_managed_device


getting result in below format:-

src_ip Is_managed_device
10.0.0.0 FALSE
166.226.118.0 FALSE
136.226.158.0 FALSE
185.46.212.0 FALSE
2a03:eec0:1411:: FALSE

 

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-20-2024 01:53 PM

I am a little confused by the SPL.  Did you try this?

| makeresults | eval src_ip="10.0.0.0 166.226.118.0 136.226.158.0 185.46.212.0 2a03:eec0:1411::"
| makemv delim=" " src_ip
| mvexpand src_ip
| lookup zscalerip.csv CIDR AS src_ip OUTPUT CIDR as CIDR_match
| eval Is_managed_device=if(isnull(CIDR_match), "false", "true")
| table src_ip Is_managed_device

 

Tags (1)
0 Karma
Reply

hem03
Loves-to-Learn Lots
‎05-21-2024 01:54 AM

I tried using the 'isnull' and 'isnotnull' functions, but received the same 'false' result for both.

Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-21-2024 09:41 AM

I entered your sample table in a lookup zscalerip.csv

CIDR
168.246.0.0/16
8.25.203.0/24
64.74.126.64/26
70.39.159.0/24
136.226.158.0/23

(Your original first line 168.246.*.* is not a CIDR notation so I speculated it to be misspelling of 168.246.0.0/16.  This is immaterial to the problem at hand.)

 

[zscalerip.csv]
batch_index_query = 0
case_sensitive_match = 1
filename = zscalerip.csv
match_type = CIDR(CIDR)

 

Using the exact search I posted above, the output is

src_ipIs_managed_device
10.0.0.0false
166.226.118.0false
136.226.158.0true
185.46.212.0false
2a03:eec0:1411::false
0 Karma
Reply

hem03
Loves-to-Learn Lots
‎05-22-2024 01:41 AM

I'm still getting the wrong result. When I tried with a single IPv4 address, it worked, but I encountered the issue only with CIDR IP ranges. Do I need to make any changes from the backend?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎05-22-2024 08:53 AM

My test is on a basic installation on my laptop.  CIDR match works as is.  Maybe delete that lookup and redo it?  Do you use UI or edit transforms.conf directly?  If you use UI, maybe post the part where you set up CIDR match?  Is there a mismatch between field name in CIDR setup and the actual file header?  I already showed my test file content and the lookup stanza in transforms.conf.  Here are from the UI:

image.pnglookup-definition.png

Also avoid bad entries like *.* in the file.  I don't know if that will ruin CIDR match, but why take the risk.

0 Karma
Reply

hem03
Loves-to-Learn Lots
‎05-24-2024 02:45 AM

I'm still receiving an inaccurate result.

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...