This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Filter over 100 CIDR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Filter over 100 CIDR

RemiLiquete
L1 Bithead

‎07-16-2024 08:04 AM

Hello,

 

I have an XQL query and I need IPs to be displayed if they are in some CIDR.

I know about the incidr command and the documentation says we can use it with multiple CIDR if we use coma to separate them.

Example : 

filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24") = true

It doesn't work at all (I tried with 2 CIDR, I have an empty result and I should have at least one result).

 

Using multiple lines with alter is not an option since I have over 100 CIDR (and 100 lines with alter to create) and the command will take forever to run.

 

I was wondering if using a custom dataset will work.

If it does, how can I use it?

 

Regards,

Rémi.

0 Likes Likes
3 REPLIES 3

aspatil
L5 Sessionator

‎07-16-2024 09:17 AM

Hello,

 

Thanks for reaching us using the Live Community.

Please try below:

dataset = endpoints
| arrayexpand ip_address
| filter incidr(ip_address, "192.168.0.0/24, 1.168.0.0/24")
| fields ip_address

 

If this post answers your question, please mark it as the solution. 

Ashutosh Patil
0 Likes Likes

RemiLiquete
L1 Bithead

‎07-18-2024 01:28 AM

Hello,

 

I tried the exact query and the result is empty.

I have IP addresses in 192.168.0.0/24.

 

If i run the query below, it's working but it's not an option since I have over 100 CIDR:

dataset = endpoints
| arrayexpand ip_address
| alter srcType = if(incidr(ip_address, "192.168.0.0/24") = true, "local", if(incidr(ip_address, "1.168.0.0/24") = true, "local", "remote"))
| filter srcType = "local"
| fields ip_address

 

Regards,

0 Likes Likes

aspatil
L5 Sessionator
In response to RemiLiquete

‎07-18-2024 10:45 PM

Hello @RemiLiquete ,

 

We have helped you with template. You have to check how to include 100 CIDR, incase if you need assistance you can check with Accounts Team for Professional services.

 

Hope this helps!

 

 

Ashutosh Patil
0 Likes Likes
  • 500 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks