Splunk Search

Has CIDR matching has changed between 6.3.x and 7.x?

cameronjust
Path Finder

So I was doing some debugging for someone on CIDR matching and appeared to get inconsistent results between versions of Splunk.

transforms.conf

[cidr_testing]
filename = cidr_testing.csv
match_type = CIDR(cidr_value)
max_matches=1
min_matches=1
default_match = NONE

cidr_testing.csv

cidr_value,additional_field,comment
192.168.64.69/24,2,broader
192.168.64.69/32,1,specific
192.168.64.64/16,3,even broader
192.168.64.64/8,4,most of it
192.168.64.64/0,5,all of it
192.168.64.65,0,targeted ip

For this search

| makeresults count=5 | eval dest_ip = "192.168.64.69" |  lookup cidr_testing cidr_value AS dest_ip OUTPUT cidr_value, additional_field, comment | table host dest_ip cidr_value additional_field comment | extract reload=t

Splunk 6.3 appears to match the most specific match and will match the second row "specific"

Splunk 7.x appears to match the first result and will match the first row "broader"

Something has obviously changed.

Is this a feature or a bug?

0 Karma

nickhills
Ultra Champion

Check you max_matches - setting max to 1 means the lookup will return only the first match in the lookup file, even if there are more than one match available.

I have just looked, but I cant see that this has changed since 6.3

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...