Splunk Enterprise Security

CIDR Range to Match a SUB CIDR Range

ARobillard
New Member

Hello All,

I have two lookup tables that contain CIDR Ranges. One being a top level and the other one being the sub level CIDR ranges with different information. I want to do a lookup that can match on CIDR Range of these two tables. Is this possible with splunk? I know its a weird ask, I was able to just combined them outside splunk but curious if this is a possibility.

What I did was I created the two lookup tables and created the lookup definitions specifying the CIDR Field for both lookups. I called for the lookup with both of the different fields and did not match them.

Thank you in advance!

0 Karma

ARobillard
New Member

Example

your search
| lookup 1.csv cidr as src_ip OUTPUT cidr
| lookup detailedcidr.csv top_cidr as cidr OUTPUT top_cidr blah blah blah blah

0 Karma

to4kawa
Ultra Champion
your search
|lookup first cidr as src_ip OUTPUT something1
|lookup  second cidr as src_ip OUTPUT something2
|where something1=* AND something2=*

It ’s like this because I do n’t know your query.

0 Karma

ARobillard
New Member

Sorry I was just trying to match 2 lookup tables into one.

Both have cidr ranges.

| inputlookup cidr.csv
| lookup top_cidr cidr1 as cidr2 outputnew blah blah blah blah

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval first_cidr="10.10.0.1/8", second_cidr="10.10.0.1/32"
| eval result=if(cidrmatch(first_cidr,second_cidr),"OK","false")

It ’s not good because it ’s a string comparison.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...