Comparison and conditional Function: CIDRMATCH
CIDR or “Classless Inter-Domain Routing” is a networking procedure to allocate IP addresses for various IP routing.
In our previous blog, we have discussed “CIDR Lookup” in brief. If you have not seen it yet, we will suggest you go through the blog using the link below.
CIDRMATCH:
We use this function to decide whether a particular IP address belongs to a subnet or not
Syntax:
cidrmatch(“X”,Y)
X: it is the CIDR subnet to match with.
Y: it is the IP address to match
Example 1:
index=ip source="*ip_data*"
| stats count by ip
| where cidrmatch("203.34.34.0/15",ip)
Result:
Explanation:
Here we have considered data from the “Ip” index and we have mentioned a source that has some data related to IP addresses. Then using stats command, we have listed down all IP available addresses. Then using the “cidrmatch” function we have filtered all IP addresses belonging to “203.34.34.0/15” subnet, with where command.
Example 2:
index=ip source="*ip_data*"
| stats count by ip
| eval ipOffice=case(cidrmatch("203.34.34.0/15",ip),"admin",cidrmatch("35.138.71.0/15",ip),"master user",0=0,"user")
Result:
Explanation:
Here we have considered data from the “Ip” index and we have mentioned a source that has some data related to IP addresses. Then using the stats command, we have listed down all IP available addresses, same as the first example. Then using the eval command we have created a new field called “ipOffice”, where using “cidrmatch” function we are matching 203.34.34.0/15 and 35.138.71.0/15 subnets to get “admin”, “master user” and “user” field values in “ipOffice” field using case function.
Hope you enjoyed this blog ” Comparison and conditional Function: CIDRMATCH “. see you all on to the next one.
Happy Splunking!!
