eval case/cidrmatch using two fields as a conditio...

whitefang1726 · ‎03-10-2020

How can I use cidrmatch or case using 2 conditions?

Example: I only want to get list of IPs where row_A is 11.0.0.0/24 and row_B is 8.8.8.0/24

Current Table:
row_A row_B
10.0.0.1 11.0.0.1
10.0.0.2 12.0.0.1
11.0.0.1 8.8.8.8
11.0.0.2 8.8.8.9
12.0.0.1 8.8.8.8
12.0.0.2 8.8.8.9

Target Result:
row_A row_B
11.0.0.1 8.8.8.8
11.0.0.2 8.8.8.9

Thanks!

manjunathmeti · ‎03-10-2020

hi @whitefang1726,

Use where command like this:

| where cidrmatch("11.0.0.0/24", row_A) and cidrmatch("8.8.8.0/24", row_B)

Smaple query:

| makeresults 
| eval _raw=" row_A row_B
10.0.0.1 11.0.0.1
10.0.0.2 12.0.0.1
11.0.0.1 8.8.8.8
11.0.0.2 8.8.8.9
12.0.0.1 8.8.8.8
12.0.0.2 8.8.8.9" 
| multikv forceheader=1 
| where cidrmatch("11.0.0.0/24", row_A) and cidrmatch("8.8.8.0/24", row_B)
| fields - _raw, _time, linecount

eval case/cidrmatch using two fields as a condition

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!