Search:index=foo | dedup 1 host sortby -_time |rex field=host "(?P<device>.*

1. Search:
2.  
3. index=foo | dedup 1 host sortby -_time |rex field=host "(?P<device>.*)" | stats count by staticIP device| lookup networks device OUTPUT network | where cidrmatch(network,staticIP)
4.  
5. Lookup:
6.  
7. device, network
8. Router0, 10.0.0.0/8
9. Router1, 132.10.0.0/16
10. Router1, 188.2.0.0/16
11. Router2, 89.0.0.0/8
12. Router3, 192.168.0.0/16
13. Router4, 26.3.0.0/16
14.  
15. Results:
16.  
17. staticIP device count network
18. 26.3.55.0 Router4 1 26.3.0.0/16
19. 192.168.0.0 Router3 1 192.168.0.0/16
20. 192.168.128.0 Router3 1 192.168.0.0/16
21. 89.128.0.0 Router2 1 89.0.0.0/8
22.  
23. There are results missing for Router1, it should show 132.10.0.0 and 188.2.30.0.
24.  
25. If I remove one of the Router 1 entries, I get the following
26.  
27. staticIP device count network
28. 26.3.55.0 Router4 1 26.3.0.0/16
29. 192.168.0.0 Router3 1 192.168.0.0/16
30. 192.168.128.0 Router3 1 192.168.0.0/16
31. 89.128.0.0 Router2 1 89.0.0.0/8
32. 188.2.30.0 Router1 1 188.2.0.0/16
33.  
34. Note the entry for Router1