lookup operator with compareCIDRPrefix
Can I use lookup operator in combination with compareCIDRPrefix to check if ip in the log is in a list of cidrs from csv?
Something like this, but iIt complain about "unexpected token" if I query this.
| lookup ip, prefix_length from https://xxxxxxx.ngrok.io/source_of_cidrs.csv on compareCIDRPrefix(ip, dest_ip, toInt(prefix_length))
Please help!
-
Hello Bowei,
The join column expression for the lookup operator needs to refer to actual field names in field1=field2 format, it cannot calculate the join condition result from a function.
It seems that for what you are trying to achieve a better solution would be to ingest the IP data into Sumo and then use the compareCIDRPrefix function. Besides the syntax requirements, the lookup operator would fail your query if it is not able to fetch the data within 10 seconds.
I hope this helps.
Best regards,
Piotr Woch
Customer Success Engineer
-
Thanks for the reply Piotr.
Is there a work around for this use case where I have cidr information in CSV in the format of
route, mask_length
95.83.225.128,29
95.85.86.0,24
represent cidr 95.83.225.128/29 and 95.85.86.0/24
I need to check if a IP from a log is within any of the cidr ranges from CSV.
Thanks!
Please sign in to leave a comment.
Comments
2 comments