Cidr_match on multiple subnets

michelledrew · May 28, 2020, 2:05pm

Hello, I was wondering if any of you guys knew whether i could use cidr_match multiple times in one pipeline…
e.g.
when
has_field(“src_ip”)
then
set_field(“internal_ip”, cidr_match(“subnet/mask”, to_ip($message.src_ip)));
set_field(“internal_ip”, cidr_match(“subnet/mask”, to_ip($message.src_ip)));
set_field(“internal_ip”, cidr_match(“subnet/mask”, to_ip($message.src_ip)));

I want the cidr_match to happen on all subnets. So far it just checks on the first one, to see whether they’re internal or not. Is this possible? Thank you in advance!

fangycz · May 28, 2020, 4:16pm

rule “blabla”
when
cidr_match(“192.168.0.0/16”, to_ip($message.src_ip)) ||
cidr_match(“172.16.0.0/12”, to_ip($message.src_ip)) ||
cidr_match(“10.0.0.0/8”, to_ip($message.src_ip))
then
set_field(“internal_ip”, true);
end

system · June 11, 2020, 4:16pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Mapping IPs to subnets Graylog Central (peer support) pipeline-rules	11	3514	March 1, 2018
CIDR notation in search? Graylog Central (peer support) pipeline-rules	5	1956	November 6, 2017
CIDR \ Lookup Tables \ IOC Mapping Graylog Central (peer support)	1	745	April 6, 2019
This IPv6 address cannot be used in IPv4 context Graylog Central (peer support)	4	1012	February 25, 2017
How to add cidr in the search example : search logs based of 192.168.1.0/24 Graylog Central (peer support)	3	734	July 1, 2022

Cidr_match on multiple subnets

Related topics