cidr() Query Function

Filters events using CIDR subnets.

Parameters

Name

Type

Required

Default

Description

subnet

[string]

No

description

file

string

No

When file and column parameters are used together, load subnet list from given CSV.

column

string

No

When file and column parameters are used together, load subnet list from given CSV.

field

string

No

Specifies the field to run the CIDR expression against.

negate

boolean

No

false

Only let addresses not in the given subnet pass through. Also let events without the assigned field pass through.

The implied parameter is field.

Examples

Matches events for which the ‘ipAddress’ attributes is in the ip range 192.0.2.0/24

humio
cidr(ipAddress, subnet="192.0.2.0/24")

Matches events for which the ‘ipAddress’ attributes is in the ip range 192.0.2.0/24 or 203.0.113.0/24

humio
cidr(ipAddress, subnet=["192.0.2.0/24", "203.0.113.0/24"])

Matches events for which the ‘SRC’ attributes is one of those listed in the uploaded file cidrfile.csv with the subnets in the column cidr-block

humio
cidr(field=SRC, file="cidrfile.csv", column="cidr-block")