topic Re: Log Analysis Request for IP Address Values in Splunk Search

Log Analysis Request for IP Address Values

Tajuddin — Wed, 31 Jul 2024 20:06:40 GMT

I need to perform an analysis based on a lookup file named checkin_rooms.csv, which includes a column confroom_ipaddress with values such as:

10.40.89.76
17.76.42.44
17.200.126.20

For each IP address in this file, I want to check the Splunk logs for the following conditions in the index=fow_checkin:

There is a message containing "IpAddress(from request body)"
There is no message associated with the same IP address that contains display button:panel-* in other events.

Example Log Entries:

message: Display Option Request Source: TouchPanel, IpAddress(from request body): null, Action: buttonDisplay, Timezone: null and IpAddress(from request header): 17.200.126.20
message: display button:panel-takeover for ipaddress: 17.200.126.20

Could someone please guide me on how to construct this query to identify which IP addresses from the lookup file meet these criteria? Thanks in advance

Re: Log Analysis Request for IP Address Values

PickleRick — Wed, 31 Jul 2024 20:35:59 GMT

This can have multiple solutions depending on your data parameters (especially cardinality).

Your main problem (performancewise) will be the second condition. Because how can you find something that's not there? You have to list everything that is there and compare with what you get from the first conditon. With a small result set that's relatively quick but with a big one - not so much.

Also:

1. Do you have any fields extracted from your events?

2. In the second type of events is there a space between ipaddress: and the actual address or not?

Re: Log Analysis Request for IP Address Values

gcusello — Thu, 01 Aug 2024 07:00:17 GMT

Hi @Tajuddin ,

in addition to the questions from @PickleRick I need to know: the two conditions you listed are related with OR or AND?

then what's the name of the field (in the main search) to compare with confroom_ipaddress of the checkin_rooms.csv lookup? i use IP_Address but you can change.

anyway, eventually change my main search:

index=fow_checkin [| inputlookup checkin_rooms.csv | rename confroom_ipaddress AS IP_Address | fields IP_Address ] ("IpAddress(from request body)" OR NOT "display button:panel-*") | ...

Ciao.

Giuseppe