Can I filter or enrich IP address using CIDR notation?

Modified on Wed, 14 Aug, 2024 at 11:20 AM

Yes, the IPLookup module can be used to filter or enrich fields containing IP addresses using a valid IPv4 or IPv6 CIDR.

Here are supported options for this module:

-r <arg>: The “-r” option informs the iplookup module which lookup resource should be used to enrich data.

-s: The “-s” option specifies that the iplookup modules should require that all specified operations succeed.

-v: The “-v” flag inverts the flow logic in the lookup module, meaning that successful matches are suppressed and missed matches are passed on. The -v flag is not compatible with enrichments

-e <arg>: The “-e” flag specifies the enumerated value to use when matching against the resource list. “-e” is a required flag.

-cidr <arg>: The “-cidr” flag specifies the column to use in the resource CSV that contains the CIDR specifications. If no “-cidr” flag is specified the iplookup module assumes a column named CIDR.

-ip <arg>: The “-ip” flag specifies the column to use in the resource CSV that contains the IP component of a CIDR specification. The -ip flag requires the -subnet flag and cannot be combined with the -cidr flag.

-subnet <arg>: The “-subnet” flag specifies the column to use in the resource CSV that contains the subnet component of a CIDR specification. The -subnet flag requires the -ip flag and cannot be combined with the -cidr flag.

Here are some examples of filtering a field based on CIDR notation:

Filter entries where IP is a private IP

tag=data json IP
| iplookup -s IP ~ PRIVATE

Filter entries where IP is NOT a private IP

tag=data json IP
| iplookup -s -v IP ~ PRIVATE

Here is an example of enriching data based on CIDR notation:

Resource contents (network_name)

CIDR,network
10.0.0.0/24,engineering
10.10.10.0/24,sales
172.20.0.0/24,finance
192.168.0.0/16,marketing

Enrich IP based on associated network with network name

tag=data json IP
| iplookup -s -r network_name -e IP network
| table IP network