Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CIDR type lookup and matching the most specific prefix

rafajot
Explorer
‎08-02-2017 07:01 AM

I would like to make a CIDR type lookup that matches only the most specific prefix. For example if there is lookup table with 165.225.0.0/17 and 165.225.68.0/24 prefixes then 165.225.68.64 should be matched only against /24 prefix.

In the past I thought that was default Splunk behavior but either I was wrong (most likely) or the Splunk behavior has changed over time (less likely).

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎08-15-2017 02:05 PM

The way lookup files work is we will read the file until max_matches has been satisfied. If the file is sorted by reverse mask bits /32 /31 etc and max_matches=1 then this will appear to work. So long as only one row for a given cidr is expected.

Lines #27 in this macro has an example https://bitbucket.org/SPLServices/seckit_sa_idm_common/src/f1abb1c9099be10a613c160a4b0d88088c0899c4/...

0 Karma
Reply

rafajot
Explorer
‎08-07-2017 01:53 AM

It looks like generating lookup table with prefixes sorted by prefix size (so /24 should occur before /17) is a solution to this problem. So far it seems to work for all prefixes I checked (and I checked around 12 000 IPs against their BGP prefixes). However it would be good to have confirmation in Splunk documentation that this is expected Splunk behaviour.

What I have been able to find is that "The Splunk software processes lookups belonging to a specific host, source, or source type in ASCII sort order." https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Aboutlookupsandfieldactions

My understanding is that in such case if there is 61.31.236.1 tested against lookup where two prefixes exist: 61.31.224.0/20 61.31.236.0/24 it should be matched to 61.31.224.0/20 (as it is first in sorting order). However if the lookup is sorted by network size it is actually being matched to 61.31.236.0/24 which is good from the point of view of described problem but I'm not quite sure if it's aligned with above-mentioned documentation.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...