I am trying to figure out how to write a filter that will add a tag to any ip's that come out of netflow that are listed on specific blacklist (zeuss, edrop, ect). I have the list and I have the netflow data coming into logstash. I just don't know how to query an array of values that will change over time. Also some of the list are in CIDR notation and others are single host ip addresses. I know there is a way to query cidr notation and I can re-format any of the files if I need to. Its not hard to add a /32 to the end of anything 
I just don't know exactly how to write the filter.
Thanks,
Brad