It looks like generating lookup table with prefixes sorted by prefix size (so /24 should occur before /17) is a solution to this problem. So far it seems to work for all prefixes I checked (and I checked around 12 000 IPs against their BGP prefixes). However it would be good to have confirmation in Splunk documentation that this is expected Splunk behaviour.
What I have been able to find is that "The Splunk software processes lookups belonging to a specific host, source, or source type in ASCII sort order." https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Aboutlookupsandfieldactions
My understanding is that in such case if there is 61.31.236.1 tested against lookup where two prefixes exist: 61.31.224.0/20 61.31.236.0/24 it should be matched to 61.31.224.0/20 (as it is first in sorting order). However if the lookup is sorted by network size it is actually being matched to 61.31.236.0/24 which is good from the point of view of described problem but I'm not quite sure if it's aligned with above-mentioned documentation.
... View more