https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67787#M1564 <P>Splunk is pretty flexible. Take a look at <B>lookup tables</B> and <B>custom search commands</B>.</P> <P><A href="http://www.splunk.com/base/Documentation/4.2/Knowledge/Addfieldsfromexternaldatasources" rel="nofollow">Lookup tables</A> allow you to add new fields based on existing ones. Typically you'll use a CSV file, but you can also us custom Python code. Take a look at the earlier question about <A href="http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table" rel="nofollow">Using CIDR in a lookup table</A> for more ideas.</P> <P>Custom search commands allow you to take things further, and process search results almost any way you want. Again, these would be written in Python. For more information, look <A href="http://www.splunk.com/base/Documentation/4.2/SearchReference/Aboutcustomsearchcommands" rel="nofollow">here</A> and <A href="http://www.splunk.com/base/Documentation/4.2/Developer/SearchScripts" rel="nofollow">here</A>.</P> <P>For your example case, a lookup is the way to go. If you are blacklisting individual IP addresses, create a CSV-based lookup with two fields <CODE>src_ip</CODE> and <CODE>blacklisted</CODE>, then search for, e.g., <CODE>blacklisted=1</CODE>. If you want to use network ranges instead, try the subnet lookup script referenced <A href="http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table" rel="nofollow">here</A> or use <A href="http://www.splunk.com/base/Documentation/4.2/Knowledge/Abouteventtypes" rel="nofollow">eventtypes</A>.</P> Fri, 25 Mar 2011 20:33:53 GMT southeringtonp 2011-03-25T20:33:53Z https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67783#M1560 <P>Is it possible to program some special consolidation inside Splunk?</P> <P>For example: I want to run trough all log lines, ordered by id_user and date. For each 30 minutes a user navigate on my site, I count one visitor session, except for IPs inside a black list.</P> <P>Is Splunk made for it?</P> Fri, 25 Mar 2011 19:16:55 GMT https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67783#M1560 fduprat 2011-03-25T19:16:55Z https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67784#M1561 <P>Splunk can do just about anything provided you know how to write the search query. Take a look at the 'transaction' command - I believe it is what you seek - </P> <P><A href="http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction" rel="nofollow">http://www.splunk.com/base/Documentation/latest/SearchReference/Transaction</A></P> Fri, 25 Mar 2011 19:28:56 GMT https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67784#M1561 netwrkr 2011-03-25T19:28:56Z https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67785#M1562 <P>Thank you! I will take a look.</P> Fri, 25 Mar 2011 19:45:49 GMT https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67785#M1562 fduprat 2011-03-25T19:45:49Z https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67786#M1563 <P>This works fine, but I must always use that query-like structure inside Splunk?</P> <P>Can I do some kink of structured programming inside Splunk? </P> <P>Can I use Java inside Splunk?</P> Fri, 25 Mar 2011 20:05:26 GMT https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67786#M1563 fduprat 2011-03-25T20:05:26Z https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67787#M1564 <P>Splunk is pretty flexible. Take a look at <B>lookup tables</B> and <B>custom search commands</B>.</P> <P><A href="http://www.splunk.com/base/Documentation/4.2/Knowledge/Addfieldsfromexternaldatasources" rel="nofollow">Lookup tables</A> allow you to add new fields based on existing ones. Typically you'll use a CSV file, but you can also us custom Python code. Take a look at the earlier question about <A href="http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table" rel="nofollow">Using CIDR in a lookup table</A> for more ideas.</P> <P>Custom search commands allow you to take things further, and process search results almost any way you want. Again, these would be written in Python. For more information, look <A href="http://www.splunk.com/base/Documentation/4.2/SearchReference/Aboutcustomsearchcommands" rel="nofollow">here</A> and <A href="http://www.splunk.com/base/Documentation/4.2/Developer/SearchScripts" rel="nofollow">here</A>.</P> <P>For your example case, a lookup is the way to go. If you are blacklisting individual IP addresses, create a CSV-based lookup with two fields <CODE>src_ip</CODE> and <CODE>blacklisted</CODE>, then search for, e.g., <CODE>blacklisted=1</CODE>. If you want to use network ranges instead, try the subnet lookup script referenced <A href="http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table" rel="nofollow">here</A> or use <A href="http://www.splunk.com/base/Documentation/4.2/Knowledge/Abouteventtypes" rel="nofollow">eventtypes</A>.</P> Fri, 25 Mar 2011 20:33:53 GMT https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67787#M1564 southeringtonp 2011-03-25T20:33:53Z https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67788#M1565 <P>have a try with: summary indexing and search macros</P> Fri, 25 Mar 2011 23:38:07 GMT https://community.splunk.com/t5/Reporting/Programming-business-rules-inside-Splunk/m-p/67788#M1565 fox 2011-03-25T23:38:07Z