Hi,
I've RTFM many times but can't seem to figure this out.. I am creating a new field ("ip") based on a simple search for Servers requesting an IP via DHCP:
DHCPREQUEST for" | rex field=_raw "DHCPREQUEST for (?ip\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)"
this returns a few thousand lines and polulates the field "ip".
Now I create a networks.csv in the following format:
network
123.123.123.0/24
123.123.124.0/24
123.123.125.0/24
I am trying to only display hosts that match one of the networks in the .csv file:
"DHCPREQUEST for" | rex field=_raw "DHCPREQUEST for (?ip\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | where cidrmatch("[|inputcsv networks.csv | fields network]",ip)
which returns zero results. Running only the subsearch returns the list of networks as expected.
What am I doing wrong?
... View more