Filter Events Using CIDR Subnets - Example 3

Filter events using CIDR subnets to match attributes listed in an uploaded cidrfile.csv

Query

logscale
cidr(field=SRC, file="cidrfile.csv", column="cidr-block")

Introduction

The cidr() function can be used to filter events using CIDR subnets and is used for both IPv4 and IPv6 addresses.

In this example, the cidr() function is used to match events for which the SRC attributes is one of those listed in the uploaded file cidrfile.csv with the subnets in the column cidr-block.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0["Expression"] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    cidr(field=SRC, file="cidrfile.csv", column="cidr-block")

    Matches events for which the SRC field is one of those listed in the uploaded file cidrfile.csv with the subnets in the column cidr-block.

  3. Event Result set.

Summary and Results

The query is used to search on specific subnets within the network, uptimizing query performance. The search will only be performed on the IP addresses that fall in the range of the specified subnet filter.