Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search with cidrmatch with multiple subnets?

bosseres
Contributor
‎02-07-2023 05:24 AM

Hello everyone,

I got such table after search

 

ip subnets
10.0.0.2

10.0.0.0/24

 
10.0.0.3

10.0.0.0/24

172.24.23.23/24

 

I want to compare if ip belongs to subnets, using next one comparison

| eval match=if(cidrmatch(subnets, ip), "match", "nomatch")

It works correct if there is one subnet, but if more - not, how can I correct my search query?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2023 06:41 AM

Try something like this

| mvexpand subnets
| stats values(eval(if(cidrmatch(subnets, ip), subnets, null()))) as matches by ip

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2023 05:52 AM

If subnets is a multi-value field, use mvexpand before the eval, otherwise use split to create a multi-value field and mvexpand.

Reply
Solved! Jump to solution

bosseres
Contributor
‎02-07-2023 06:32 AM

Yes, I have multivalue field, I did


| mvexpand subnets

but how to make comparison, if ip belongs TO ONE of this subnets - then alert?

because now it checks the compliance of each ip with each subnet, for my example table 

ipsubnets
10.0.0.2

10.0.0.0/24

 

10.0.0.3

10.0.0.0/24

172.24.23.23/24

 

search will find 10.0.0.3 which not matches 172.24.23.23/24, but I need make search where if 10.0.0.3 matches even one of subnets

0 Karma
Reply
Solved! Jump to solution

bosseres
Contributor
‎02-07-2023 06:33 AM

I mean I want to do, if ip matches at least one of subnets - then field match=match

Tags (1)
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎02-08-2023 01:52 AM

This is confusing as @ITWhisperer already explained you could use mvexpand.  Can you explain why this does not give you what you need?

| mvexpand subnets
| where cidrmatch(subnets, ip)

Suppose there are multiple subnets in the original table and ip matches one of them.  Is there any use of the non-matching subnets?

If there is any such use, ITWhisperer's last response covers it.

 

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-07-2023 06:41 AM

Try something like this

| mvexpand subnets
| stats values(eval(if(cidrmatch(subnets, ip), subnets, null()))) as matches by ip
Reply
Solved! Jump to solution

bosseres
Contributor
‎02-09-2023 02:31 AM

thank you, sir!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...