Filters events using CIDR subnets. Used for both IPv4 and IPv6 addresses.

ParameterTypeRequiredDefault ValueDescription
columnstringoptional[a]  When file and column parameters are used together, it loads the subnet list from the given .csv.
field[b]stringrequired  Specifies the field that the CIDR expression runs against.
filestringoptional[a]  When file and column parameters are used together, it loads the subnet list from the given .csv.
negate (deprecated)booleanoptional[a]false This parameter is deprecated. Use the !cidr(...) negation instead to allow only addresses that are not in the given subnet to pass through (see cidr() Examples) or to allow events without the assigned field to pass through. (deprecated in 1.100.0)
subnetArray of stringsoptional[a]  Specifies the list of IP ranges the CIDR expression matches with.

[a] Optional parameters use their default value unless explicitly set.

[b] The argument name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

Hide negatable operation for this function

Show negatable operation for this function

cidr() Examples

Matches events for which the ipAddress attributes is in the IP range 192.0.2.0/24:

logscale
cidr(ipAddress, subnet="192.0.2.0/24")

Matches events for which the ipAddress attributes is not in the IP range 192.0.2.0/24:

logscale
!cidr(ipAddress, subnet="192.0.2.0/24")

Matches events for which the ipAddress attributes is in the ip range 192.0.2.0/24 or 203.0.113.0/24:

logscale
cidr(ipAddress, subnet=["192.0.2.0/24", "203.0.113.0/24"])

Matches events for which the SRC attributes is one of those listed in the uploaded file cidrfile.csv with the subnets in the column cidr-block:

logscale
cidr(field=SRC, file="cidrfile.csv", column="cidr-block")

Check if a field contains valid IP addresses, both IPv4 and IPv6:

logscale
case {
    cidr("address", subnet=["0.0.0.0/0", "::/0"]) 
| ip := address;
    *
}

It can also be used to check if a field contains a valid IPv4 address alone:

logscale
cidr("address", subnet="0.0.0.0/0")

or a valid IPv6 address:

logscale
cidr("address", subnet="::/0")