Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare CIDR from event to lookup?

Shakira1
Explorer
‎11-20-2022 07:40 AM

I have lookup contains IP and I want to compare to field from event that contains CIDR.

I did lookup definition and add the match type into the advance (CIDR(ip) 

my lookup:

ip exist 

1.1.1.1 "yes"

2.2.2.2

my event:

cidr 

1.1.1.254/32

my query:

|makeresults 

| lookup ip ip as cidr output exist

 

what I did wrong? 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-29-2022 12:27 AM

First, note that if your lookup gives host IP 1.1.1.1 as "yes", it will not match your event CIDR 1.1.1.254/32 because IPv4 only has 32 bits.  1.1.1.254/32 is effectively host IP 1.1.1.254.  This can easily be tested with cidrmatch.

| makeresults
| eval ip = "1.1.1.1", cidr = "1.1.1.254/32"
| eval match = if(cidrmatch(cidr, ip), "yes", "no")

You can see where I am going with this.  If every cidr in your event has /32 mask, you should use them as host IP in lookup instead.

| rex field=cidr "(?<ip>.+)/32"
| lookup ip ip ``` it is best to name the lookup more descriptively 🙂 ```

If, on the other hand, your event contains less restrictive masks (i.e., they give real CIDR), sure you can seek reverse match.  But all advantages of Splunk lookup is lost; in fact, it can become very expensive if the lookup table is of any meaningful size because you'll be comparing every IP address in the table with every event.  That is n x m.

Here is one approach (assuming that the lookup table is only useful for exist == "yes" entries):

| append
    [inputlookup ip where exist == "yes" ``` assume no other meaningful value ```
    | table ip]
| stats values(ip) as lookie values(cidr) as cidr ``` mingle event data with lookup data ```
| mvexpand cidr
| eval match = mvmap(ip, if(cidrmatch(cidr, ip), "yes", null()))
| eval match = mvzip(ip, match, ":") ``` use side effect that null value zips into null element ```
| eval match = mvmap(match, replace(match, ":yes", ""))
| table cidr match

Field match will contain a list of IPs that match each cidr.

Tags (1)
0 Karma
Reply

Shakira1
Explorer
‎11-29-2022 06:41 AM

BTW, I have created 2 fields base on my lookup - when the ip is exist I have new fields : my_ip = True 

this is can be easer to compare now? without using lookup 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-29-2022 09:17 AM
@Shakira1 wrote:

BTW, I have created 2 fields base on my lookup - when the ip is exist I have new fields : my_ip = True 

this is can be easer to compare now? without using lookup 


Do you mean field ip is an actual field in the event that you wish to calculate on? (Then you use lookup to determine if exist=="true")  In that case, you don't even need to create a new field. (Such details should be explained in the question.)  But you still need to explain what is your desired output, with or without that extra field.

For example, if you want to see whether the event IP matches event CIDR, simply do

| eval match = if(cidrmatch(cidr, ip), "yes", "no")

Then do whatever you need with  other fields.

0 Karma
Reply

Shakira1
Explorer
‎11-29-2022 05:52 AM

the result returns me nothing 😞

I'v changed the exist to the filed from my lookup and the value as well

and nothing come up.

what I missed?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-20-2022 02:25 PM

CIDR lookup works in the opposite direction, i.e. it means that the lookup should contain the CIDR address and the event contains an IP, so if lookup contains 1.1.1.254/32 and the event contains 1.1.1.1, then it would not find a match.

Can you give a little more context to your problem - what are you trying to do with this result?

 

0 Karma
Reply

Shakira1
Explorer
‎11-21-2022 12:29 AM

this is exactly my case.

I have lookup contains my ip and on the events I have only the range.

there is any solution to compare it? 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-21-2022 02:16 PM

So what is creating that lookup and what is the relationship between the CIDR address in the event and the existence of an IP address in a lookup?

What is the purpose of asking the question - "Does my CIDR range encompass a specific IP address"?

What are you trying to achieve? For example, if you ask the question "Does this CIDR range encompass 10.1.1.1" and the answer is "Yes", what do you do with that result.

I'm trying to understand - is this a simple theoretical problem you are trying to solve or is there a wider problem you're solving?

The simple answer is No: You cannot lookup a CIDR range into a file containing IP addresses - that is not how CIDR lookups work.

 

0 Karma
Reply

Shakira1
Explorer
‎11-28-2022 06:17 AM

what I tried to do is to compare the data from CIDR to lookup with IP

I have a list of internal  IPs and in the audit I have only CIDR, 

how can I compare it? 

 

thanks!

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-28-2022 01:57 PM

Will your CIDR value in the event ever have a non-/32 value at the end. If it is ALWAYS 32, then it is always referring to a single IP, so the simple thing to then do is to remove the /32 from the end of the CIDR before doing the lookup

| eval ip=replace(cidr, "/32", "")
| lookup ip_list.csv ip OUTPUT exist

 

0 Karma
Reply

Shakira1
Explorer
‎11-28-2022 02:04 PM

yes, I thought about it, and what about the rest?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...