Solved: Re: How do I do a CIDR match with an inputlookup?

adepasquale · ‎02-06-2019

Hi All,

I have a lookup that currently works. I've set match_type to CIDR(netRange) in my transforms file and everything works when I pass it an IP address to find in the range.

However, I'm looking to use this lookup table without a search. So I went with the creating command inputlookup, but for the life of me, I cannot get a CIDR match to work. I want to pass it an IP, and have it find the matching CIDR notation in netRange.

Is there no way to do this with the inputlookup command — why is it not honoring my transform?

This works:

index="main" | eval cip="1.1.1.1" | lookup IP2ASN netRange AS cip

This does not work

|inputlookup IP2ASN where netRange=1.1.1.1

somesoni2 · ‎02-06-2019

Try this

| makeresults | eval cip="1.1.1.1" | lookup IP2ASN netRange AS cip

View solution in original post

somesoni2 · ‎02-06-2019

Try this

| makeresults | eval cip="1.1.1.1" | lookup IP2ASN netRange AS cip

adepasquale · ‎02-06-2019

Gold! thank you, and to be clear... I'm not actually issuing a search with "makeresults"?

somesoni2 · ‎02-06-2019

You're running a search command that generates a dummy row (not searching actual indexes). Technically it's still a search.

adepasquale · ‎02-06-2019

It'll do, thanks again.

Vijeta · ‎02-06-2019

@adepasquale Try this-

|inputlookup IP2ASN  | where netRange="1.1.1.1"

adepasquale · ‎02-06-2019

This doesn't work either. netRange has values like 1.0.0.0/24, 1.0.1.0/24, 1.1.1.0/24, etc...

How do I do a CIDR match with an inputlookup?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability