Skip to main content

We have a list of ~500k CIDRs previously used as a lookup table in Splunk that we would like to replicate as a Reference Table in Chronicle. Issue is the list far exceeds the bounds of what Chronicle allows

There are almost 500k CIDR ranges with no exact duplicates. Potentially some of the ranges overlap but doubtful it would be anywhere close to enough of a reduction

CIDRs are on-average in the /14 to /23 range. This makes enumerating them as strings mostly infeasible as well, I believe Max Chronicle CIDR rows is 150.

Max Chronicle String List size is 6MB.

We could potentially use multiple lists but that would likely require 10+ lists used in the same rule, which I don't think Chronicle allows

Even if we split the list based on some filter condition and then split the rule by the same condition, we would still likely have an unreasonable number of lists and rules and management of these would be a nightmare

Any ideas?

Hi, 


Please open a support case, so we can work on this and see if there is a possible alternative or we can open a feature request. Thanks!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.