Re: Problems with cidrmatch and lookup from csv (e...

theothertomjone · ‎02-19-2018

I've read other questions on this topic and I am afraid I'm just stuck.

I have a csv named "subnets_cidrmatch" with fields subnet, country (~250 entries in this spreadsheet).

I have another csv named "spreadsheet" with a field clientip (~48k entries in this spreadsheet).

1. I have edited transforms.conf with the configuration below

[subnets_cidrmatch]
filename = subnets_cidrmatch.csv
default_match = NONE
match_type = CIDR(subnet)

2. The following query doesnt work (for some reason)

| inputlookup spreadsheet.csv
| lookup subnets_cidrmatch subnet AS clientip OUTPUT country as clientip_location
| table clientip subnet clientip_location

3. None of the fields match on the country (or the OUTPUT field *clientip_location)*

Any idea what could be going on here?

starcher · ‎02-20-2018

Make sure the column subnet in your lookup is in CIDR format like 10.0.0.0/8 format.

theothertomjone · ‎02-20-2018

It is in the correct CIDR format--the issue is the support for the match_type=CIDR between SE v6.5 and SE v7.x. Somewhere between these two versions the match_type=CIDR is fully supported.

dbray_sd · ‎02-18-2019

Did you ever get this resolved? I seem to be having the same issue.

theothertomjone · ‎02-19-2018

Ok everyone, it seems that this is some sort of versioning issue--I downloaded free Splunk and installed it locally, added both lookup tables (and definitions) and this worked without problem.

So, in production Im running Splunk Enterprise v6.5. Match_type = CIDR doesn't work somewhere between version 6.5 and 7.x.

Note: on version 6.5 the cidrmatch function works inside an eval function, but not as a match type itself. Its weird.

Problems with cidrmatch and lookup from csv (even after transforms.conf edited)

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!