How to match an IP to CIDR Range to get Criticalit...

SMWickman · ‎08-06-2018

I'm trying to write a search for an asset lookup that I'm able to query to take a list of IPs and bring back the corresponding CIDR range and a criticality and then table them.
Example: One lookup table (assets) - host, ip

HOSTNAME      IP
HOST123          10.10.3.5

Another lookup table: (network_hierarchy) - CIDR, criticality
CIDR                          Criticality
10.10.3.0/24             Critical

Ideally when we run the LDAP search that populates our host/ip list - I'd like to be able to use the IP to search the other lookup based on CIDR range and then return that result along with the criticality field back to the original table - ultimately getting one table with host, ip, CIDR, criticality - I just don't know how to make it function in order to have Splunk's logic match IP to it's CIDR range and then bring everything back into one lookup table.

Any help would be much appreciated!!

renjith_nair · ‎08-06-2018

Probably this might help you . You can mention match_type as CIDR(cidr_range)

https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html

From the transforms.conf

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>)
  specification to allow for non-exact matching
* The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is
  the default and does not need to be specified.  Only fields that should
  use WILDCARD or CIDR matching should be specified in this list

Happy Splunking!

How to match an IP to CIDR Range to get Criticality for ES?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life