Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

CIDR type lookup and matching the most specific prefix

rafajot
Explorer
‎08-02-2017 07:01 AM

I would like to make a CIDR type lookup that matches only the most specific prefix. For example if there is lookup table with 165.225.0.0/17 and 165.225.68.0/24 prefixes then 165.225.68.64 should be matched only against /24 prefix.

In the past I thought that was default Splunk behavior but either I was wrong (most likely) or the Splunk behavior has changed over time (less likely).

0 Karma
Reply

rfaircloth_splu
Splunk Employee
Splunk Employee
‎08-15-2017 02:05 PM

The way lookup files work is we will read the file until max_matches has been satisfied. If the file is sorted by reverse mask bits /32 /31 etc and max_matches=1 then this will appear to work. So long as only one row for a given cidr is expected.

Lines #27 in this macro has an example https://bitbucket.org/SPLServices/seckit_sa_idm_common/src/f1abb1c9099be10a613c160a4b0d88088c0899c4/...

0 Karma
Reply

rafajot
Explorer
‎08-07-2017 01:53 AM

It looks like generating lookup table with prefixes sorted by prefix size (so /24 should occur before /17) is a solution to this problem. So far it seems to work for all prefixes I checked (and I checked around 12 000 IPs against their BGP prefixes). However it would be good to have confirmation in Splunk documentation that this is expected Splunk behaviour.

What I have been able to find is that "The Splunk software processes lookups belonging to a specific host, source, or source type in ASCII sort order." https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Aboutlookupsandfieldactions

My understanding is that in such case if there is 61.31.236.1 tested against lookup where two prefixes exist: 61.31.224.0/20 61.31.236.0/24 it should be matched to 61.31.224.0/20 (as it is first in sorting order). However if the lookup is sorted by network size it is actually being matched to 61.31.236.0/24 which is good from the point of view of described problem but I'm not quite sure if it's aligned with above-mentioned documentation.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...