cidr( ) Query Function

Filters events using CIDR subnets.

Parameters

Name Type Required Default Description
subnet [string] No Specifies a CIDR subnet to filter on.
file string No When file and column parameters are used together, load subnet list from given CSV.
column string No When file and column parameters are used together, load subnet list from given CSV.
field string Yes Specifies the field to run the CIDR expression against.
negate bool No false Only let addresses not in the given subnet pass though. (Also let events without the assigned field pass through.)

field is the unnamed parameter.

Examples

Matches events for which the ‘ipAddress’ attributes is in the ip range 77.243.48.0/20

cidr(ipAddress, subnet="77.243.48.0/20")

Matches events for which the ‘ipAddress’ attributes is in the ip range 77.243.48.0/20 or 255.0.0.0/16

cidr(ipAddress, subnet=["77.243.48.0/20", "255.0.0.0/16"])

Matches events for which the ‘SRC’ attributes is one of those listed in the uploaded file ‘cidrfile.csv’ with the subnets in the column ‘cidr-block’

cidr(field=SRC, file="cidrfile.csv", column="cidr-block")