I have lookup contains IP and I want to compare to field from event that contains CIDR.
I did lookup definition and add the match type into the advance (CIDR(ip)
my lookup:
ip exist
1.1.1.1 "yes"
2.2.2.2
my event:
cidr
1.1.1.254/32
my query:
|makeresults
| lookup ip ip as cidr output exist
what I did wrong?
First, note that if your lookup gives host IP 1.1.1.1 as "yes", it will not match your event CIDR 1.1.1.254/32 because IPv4 only has 32 bits. 1.1.1.254/32 is effectively host IP 1.1.1.254. This can easily be tested with cidrmatch.
| makeresults
| eval ip = "1.1.1.1", cidr = "1.1.1.254/32"
| eval match = if(cidrmatch(cidr, ip), "yes", "no")
You can see where I am going with this. If every cidr in your event has /32 mask, you should use them as host IP in lookup instead.
| rex field=cidr "(?<ip>.+)/32"
| lookup ip ip ``` it is best to name the lookup more descriptively 🙂 ```
If, on the other hand, your event contains less restrictive masks (i.e., they give real CIDR), sure you can seek reverse match. But all advantages of Splunk lookup is lost; in fact, it can become very expensive if the lookup table is of any meaningful size because you'll be comparing every IP address in the table with every event. That is n x m.
Here is one approach (assuming that the lookup table is only useful for exist == "yes" entries):
| append
[inputlookup ip where exist == "yes" ``` assume no other meaningful value ```
| table ip]
| stats values(ip) as lookie values(cidr) as cidr ``` mingle event data with lookup data ```
| mvexpand cidr
| eval match = mvmap(ip, if(cidrmatch(cidr, ip), "yes", null()))
| eval match = mvzip(ip, match, ":") ``` use side effect that null value zips into null element ```
| eval match = mvmap(match, replace(match, ":yes", ""))
| table cidr match
Field match will contain a list of IPs that match each cidr.
BTW, I have created 2 fields base on my lookup - when the ip is exist I have new fields : my_ip = True
this is can be easer to compare now? without using lookup
@Shakira1 wrote:BTW, I have created 2 fields base on my lookup - when the ip is exist I have new fields : my_ip = True
this is can be easer to compare now? without using lookup
Do you mean field ip is an actual field in the event that you wish to calculate on? (Then you use lookup to determine if exist=="true") In that case, you don't even need to create a new field. (Such details should be explained in the question.) But you still need to explain what is your desired output, with or without that extra field.
For example, if you want to see whether the event IP matches event CIDR, simply do
| eval match = if(cidrmatch(cidr, ip), "yes", "no")
Then do whatever you need with other fields.
the result returns me nothing 😞
I'v changed the exist to the filed from my lookup and the value as well
and nothing come up.
what I missed?
CIDR lookup works in the opposite direction, i.e. it means that the lookup should contain the CIDR address and the event contains an IP, so if lookup contains 1.1.1.254/32 and the event contains 1.1.1.1, then it would not find a match.
Can you give a little more context to your problem - what are you trying to do with this result?
this is exactly my case.
I have lookup contains my ip and on the events I have only the range.
there is any solution to compare it?
So what is creating that lookup and what is the relationship between the CIDR address in the event and the existence of an IP address in a lookup?
What is the purpose of asking the question - "Does my CIDR range encompass a specific IP address"?
What are you trying to achieve? For example, if you ask the question "Does this CIDR range encompass 10.1.1.1" and the answer is "Yes", what do you do with that result.
I'm trying to understand - is this a simple theoretical problem you are trying to solve or is there a wider problem you're solving?
The simple answer is No: You cannot lookup a CIDR range into a file containing IP addresses - that is not how CIDR lookups work.
what I tried to do is to compare the data from CIDR to lookup with IP
I have a list of internal IPs and in the audit I have only CIDR,
how can I compare it?
thanks!
Will your CIDR value in the event ever have a non-/32 value at the end. If it is ALWAYS 32, then it is always referring to a single IP, so the simple thing to then do is to remove the /32 from the end of the CIDR before doing the lookup
| eval ip=replace(cidr, "/32", "")
| lookup ip_list.csv ip OUTPUT exist
yes, I thought about it, and what about the rest?