Give this a try (workaround, dynamically generating where clause with cidrmatch filters): | inputlookup list_of_devices
| where cidrmatch("$CIDR_tok$", devIP)
| where [| inputlookup list_of_subnet_sand_sites
| search City="*" Street="*" NetIP="10.5.*.*"
| rename NetMask AS mask
| lookup ip_mask_prefix.csv mask OUTPUT prefix
| rename mask AS NetMask
| eval CIDRNet_mv = mvappend(NetIP , "/", prefix)
| eval CIDRNet = mvjoin(CIDRNet_mv, "")
| eval search="cidrmatch(\"".CIDRNet."\",devIP)"
| table search
| format "" "" "" "" "OR" ""
| eval search=replace(replace(replace(search,"\\\\",""),"\"c","c"),"\)\"",")")
]
| sort devIP You could also create a new lookup with lookup definition of cidrmatch and use that to filter records. See this for reference: https://splunkonbigdata.com/cidr-lookup-in-splunk/
... View more