×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
PeterPurker
Engager
Member since: ‎01-16-2025
‎03-20-2025
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎01-16-2025
Activity Feed
View All

Re: cidrmatch with lookup and field as arguments

by in Feedback
‎01-17-2025 02:05 AM
1 Karma
‎01-17-2025 02:05 AM
1 Karma
Hello, I tried what you suggested and it doesn't work, it just behaves like it did previously. If I rewrite the code to the following in order to see what is being printed out from the file   | append [| inputlookup cidr_aws.csv ] | foreach CIDR [ eval value="<<FIELD>>" ] | table value    then the column name is being printed if I instead remove the "" around <<FIELD>>, like the following   | append [| inputlookup cidr_aws.csv ] | foreach CIDR [ eval value=<<FIELD>> ] | table value   then it actually prints out the correct values from the file but it includes a random blank line which isn't in the file   Do you have any other idea on what else that I could try?   ... View more

cidrmatch with lookup and field as arguments

by in Feedback
‎01-16-2025 04:55 AM
‎01-16-2025 04:55 AM
Hello Hello! I'm trying to match the values from a lookup file, in this case being Amazon CIDRS values against ip-adresses that are dynamically retrieved from events, but I can't get it to work, the following is a snippet of what I have.     | append [| inputlookup cidr_aws.csv ] | foreach CIDR [ eval matched_ip = if(cidrmatch(<<FIELD>>, ip_address), ip_address, null()) ] | search matched_ip!=null | table matched_ip, CIDR      There is nothing outputted from this, and if I remove the "| search matched_ip!=null" then I can see that the IP appears which means that it failed the "cidrmatch" comparison and after some experimenting I figured out that the entire thing works If I hardcode either the "<<FIELD>>" value or "ip_address" like the following two examples..     | append [| inputlookup cidr_aws.csv ] | foreach CIDR [ eval matched_ip = if(cidrmatch("3.248.0.0/13", ip_address), ip_address, null()) ] | search matched_ip!=null | table matched_ip, CIDR, Country    or   | append [| inputlookup cidr_aws.csv ] | foreach CIDR [ eval matched_ip = if(cidrmatch(<<FIELD>>, "3.248.163.69"), ip_address, null()) ] | search matched_ip!=null | table matched_ip, CIDR, Country   but this is not optimal since it's supposed to be dynamic.   Does anybody know how to solve this? ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-20-2025 05:14 AM
Karma from
View All