CIDR Range to Match a SUB CIDR Range

ARobillard · ‎12-11-2019

Hello All,

I have two lookup tables that contain CIDR Ranges. One being a top level and the other one being the sub level CIDR ranges with different information. I want to do a lookup that can match on CIDR Range of these two tables. Is this possible with splunk? I know its a weird ask, I was able to just combined them outside splunk but curious if this is a possibility.

What I did was I created the two lookup tables and created the lookup definitions specifying the CIDR Field for both lookups. I called for the lookup with both of the different fields and did not match them.

Thank you in advance!

ARobillard · ‎12-11-2019

Example

your search
| lookup 1.csv cidr as src_ip OUTPUT cidr
| lookup detailedcidr.csv top_cidr as cidr OUTPUT top_cidr blah blah blah blah

to4kawa · ‎12-11-2019

your search
|lookup first cidr as src_ip OUTPUT something1
|lookup  second cidr as src_ip OUTPUT something2
|where something1=* AND something2=*

It ’s like this because I do n’t know your query.

ARobillard · ‎12-11-2019

Sorry I was just trying to match 2 lookup tables into one.

Both have cidr ranges.

| inputlookup cidr.csv
| lookup top_cidr cidr1 as cidr2 outputnew blah blah blah blah

to4kawa · ‎12-11-2019

| makeresults 
| eval first_cidr="10.10.0.1/8", second_cidr="10.10.0.1/32"
| eval result=if(cidrmatch(first_cidr,second_cidr),"OK","false")

It ’s not good because it ’s a string comparison.

CIDR Range to Match a SUB CIDR Range

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk