Filters events using CIDR subnets.

ParameterTypeRequiredDefaultDescription
columnstringfalse When file and column parameters are used together, it loads the subnet list from the given .csv.
fieldstringfalse Specifies the field that the CIDR expression runs against. [a]
filestringfalse When file and column parameters are used together, it loads the subnet list from the given .csv.
negatebooleanfalsefalseAllows only addresses that are not in the given subnet to pass through. It also allows events without the assigned field to pass through.
subnet[string]false Specifies the list of IP ranges the CIDR expression matches with.

[a] When you provide only one parameter, the implied parameter is field

Examples

Matches events for which the ipAddress attributes is in the ip range 192.0.2.0/24

humio
cidr(ipAddress, subnet="192.0.2.0/24")

Matches events for which the ipAddress attributes is in the ip range 192.0.2.0/24 or 203.0.113.0/24

humio
cidr(ipAddress, subnet=["192.0.2.0/24", "203.0.113.0/24"])

Matches events for which the SRC attributes is one of those listed in the uploaded file cidrfile.csv with the subnets in the column cidr-block

humio
cidr(field=SRC, file="cidrfile.csv", column="cidr-block")