Hello community, I aim to compare the 'src_ip' referenced below with the CIDR IP ranges in the lookup file 'zscalerip.csv' using the query provided. If there is a match, the result should be recorded as true in the 'Is_managed_device' field; otherwise, it should be marked as false. However, upon executing this query, I'm obtaining identical results for all IPs, irrespective of whether they match the CIDR range. I have created a new lookup definition for the lookup and implemented the following changes:-
Type = file-based
min_matches = 0
default_match = NONE
filename = zscalerip.csv
match_type = CIDR(CIDR)
CIDR IP range in lookup file :-
CIDR
168.246.*.*
8.25.203.0/24
64.74.126.64/26
70.39.159.0/24
136.226.158.0/23
Splunk Query :-
| makeresults | eval src_ip="10.0.0.0 166.226.118.0 136.226.158.0 185.46.212.0 2a03:eec0:1411::"
| makemv delim=" " src_ip
| mvexpand src_ip
| lookup zscalerip.csv CIDR AS src_ip OUTPUT CIDR as CIDR_match
| eval Is_managed_device=if(cidrmatch(CIDR_match,src_ip), "true", "false")
| table src_ip Is_managed_device
getting result in below format:-
src_ip
Is_managed_device
10.0.0.0
FALSE
166.226.118.0
FALSE
136.226.158.0
FALSE
185.46.212.0
FALSE
2a03:eec0:1411::
FALSE
... View more
