Use the 'map' command. Here is an example:
Lets assume you have a lookup table called 'my_csv_list_of_cidr_ranges.csv ' which looks something like:
Or something like that.
The following code will take that list and compare it to a field called 'my_ip' and return a list of IP addresses that match at least one of the cidr ranges. The myfield* fields are optional and are simply there to pass other fields out of the map command. Be sure to set maxsearches to a value higher than the number of cidrs in you lookup file.
| map maxsearches=100 search="| inputlookup my_csv_list_of_cidr_ranges.csv
| eval myfield1=\"$myfield1$\"
| eval myfield2=\"$myfield2$\"
| eval ipmatch=if(cidrmatch(cidr,my_ip),1,0)
| eventstats sum(ipmatch) as total_ipmatch by my_ip
| where total_ipmatch>0
| dedup my_ip
| table * "
... View more