Filters events using CIDR subnets. Used for both IPv4 and IPv6 addresses.

ParameterTypeRequiredDefault ValueDescription
columnstringoptional[a]  When file and column parameters are used together, it loads the subnet list from the given .csv.
field[b]stringrequired  Specifies the field that the CIDR expression runs against.
filestringoptional[a]  When file and column parameters are used together, it loads the subnet list from the given .csv.
negate (deprecated)booleanoptional[a]false This parameter is deprecated. Use the !cidr(...) negation instead to allow only addresses that are not in the given subnet to pass through (see cidr() Examples) or to allow events without the assigned field to pass through. (deprecated in 1.100.0)
subnetarray of stringsoptional[a]  Specifies the list of IP ranges the CIDR expression matches with.

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

Hide negatable operation for this function

Show negatable operation for this function

cidr() Examples

Click + next to an example below to get the full details.

Check if Field Contains Valid IP Address

Check if field contains valid IP address using the cidr() function

Query
logscale
case {
cidr("address", subnet=["0.0.0.0/0", "::/0"]) | ip := address;
*
}
Introduction

The cidr() function can be used to filter events using CIDR subnets and is used for both IPv4 and IPv6 addresses. In this example, the cidr() function is used to check if a field contains valid IP addresses, both IPv4 and IPv6.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    case {
        cidr("address", subnet=["0.0.0.0/0", "::/0"]) | ip := address;
        *
}

    Checks if a field contains valid IP addresses, both IPv4 and IPv6, and then assigns that address to the field ip.

    If you only want to check for valid IPv4 adresses, use: cidr("address", subnet="0.0.0.0/0")

    If you only want to check for valid IPv6 adresses, use: cidr("address", subnet="::/0")

  3. Event Result set.

Summary and Results

The query is used to check for valid IP addresses.

Filter Events Using CIDR Subnets - Example 1

Filter events using CIDR subnets to limit search to an IP within an IP range

Query
logscale
cidr(ipAddress, subnet="192.0.2.0/24")
Introduction

The cidr() function can be used to filter events using CIDR subnets and is used for both IPv4 and IPv6 addresses. In this example, the cidr() function is used to match events where an IP is within a given IP range.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    cidr(ipAddress, subnet="192.0.2.0/24")

    Matches events for which the ipAddress field is in the IP range 192.0.2.0/24.

  3. Event Result set.

Summary and Results

The query is used to search on specific subnets within the network, optimizing query performance. The search will only be performed on the IP addresses that fall in the range of the specified subnet filter.

Filter Events Using CIDR Subnets - Example 2

Filter events using CIDR subnets to limit search to two specific IP ranges

Query
logscale
cidr(ipAddress, subnet=["192.0.2.0/24", "203.0.113.0/24"])
Introduction

The cidr() function can be used to filter events using CIDR subnets and is used for both IPv4 and IPv6 addresses. In this example, the cidr() function is used to match events within two IP ranges.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    cidr(ipAddress, subnet=["192.0.2.0/24", "203.0.113.0/24"])

    Matches events for which the ipAddress field is in the IP range 192.0.2.0/24 or 203.0.113.0/24.

  3. Event Result set.

Summary and Results

The query is used to search on specific subnets within the network, uptimizing query performance. The search will only be performed on the IP addresses that fall in the range of the specified subnet filters.

Filter Events Using CIDR Subnets - Example 3

Filter events using CIDR subnets to match attributes listed in an uploaded cidrfile.csv

Query
logscale
cidr(field=SRC, file="cidrfile.csv", column="cidr-block")
Introduction

The cidr() function can be used to filter events using CIDR subnets and is used for both IPv4 and IPv6 addresses. In this example, the cidr() function is used to match events for which the SRC attributes is one of those listed in the uploaded file cidrfile.csv with the subnets in the column cidr-block.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    cidr(field=SRC, file="cidrfile.csv", column="cidr-block")

    Matches events for which the SRC field is one of those listed in the uploaded file cidrfile.csv with the subnets in the column cidr-block.

  3. Event Result set.

Summary and Results

The query is used to search on specific subnets within the network, uptimizing query performance. The search will only be performed on the IP addresses that fall in the range of the specified subnet filter.

Filter Events Using CIDR Subnets - Example 4

Filter events using CIDR subnets with negation to match events not in a given IP range

Query
logscale
!cidr(ipAddress, subnet="192.0.2.0/24")
Introduction

The cidr() function can be used to filter events using CIDR subnets and is used for both IPv4 and IPv6 addresses. In this example, the cidr() function is used with a negation to match events for which the ipAddress attributes is not in a given IP range.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    !cidr(ipAddress, subnet="192.0.2.0/24")

    Matches events for which the ipAddress field is not in the IP range 192.0.2.0/24.

  3. Event Result set.

Summary and Results

The query is used to search on specific subnets within the network, uptimizing query performance. The search will only be performed on the IP addresses that does not fall in the range of the specified subnet filter.