Apparently my Google-Fu isn't the best and I can't find an explanation. Can someone please enlighten me? I have a lookup table that looks like this: CIDR, ip_address 24, 1.2.3.4/24 23, 5.6.7.8/23 I wanted events with source ips that match the ip addresses in the lookup table with destination ips that do not match the ip addresses in the lookup table. I ran the following query, and this appears to work (unless its actually not??) index="index1" | lookup lookup1 ip_address as src_ip OUTPUTNEW ip_address as address | where dest_ip!=address My confusion stems from the fact that ip_address is in CIDR notation. The way my mind is processing this query is that a new field called address is created, and the value of dest_ip is compared against the value of address. However, the value of address is in CIDR notation, and dest_ip is not. Is address treated as a list and the value of dest_ip is checked against each item in the list?
... View more