lookup operator with compareCIDRPrefix

Follow
Avatar
Bowei Chi

Can I use lookup operator in combination with compareCIDRPrefix to check if ip in the log is in a list of cidrs from csv?  

Something like this, but iIt complain about "unexpected token" if I query this.

| lookup ip, prefix_length from https://xxxxxxx.ngrok.io/source_of_cidrs.csv on compareCIDRPrefix(ip, dest_ip, toInt(prefix_length))

Please help!

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Piotr Woch

    Hello Bowei,

    The join column expression for the lookup operator needs to refer to actual field names in field1=field2 format, it cannot calculate the join condition result from a function.

    It seems that for what you are trying to achieve a better solution would be to ingest the IP data into Sumo and then use the compareCIDRPrefix function. Besides the syntax requirements, the lookup operator would fail your query if it is not able to fetch the data within 10 seconds.

    I hope this helps.

    Best regards,

    Piotr Woch

    Customer Success Engineer

    0
    Comment actions Permalink
  • Avatar
    Bowei Chi

    Thanks for the reply Piotr.

    Is there a work around for this use case where I have cidr information in CSV in the format of 

    route, mask_length

    95.83.225.128,29

    95.85.86.0,24

    represent cidr 95.83.225.128/29 and 95.85.86.0/24

    I need to check if a IP from a log is within any of the cidr ranges from CSV.

    Thanks!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post