hi, is there a way to make a saved report that, given a fixed list of ip addresses, the report tells me which ones do not appear in a splunk search? Thanks
How I would tackle this is create a single column csv file in var/run/splunk called ip.csv. Give it a header name called IPADDRESS. This should be the fixed list of IP's
Then I would do a search like below(rename ipfieldname with whatever the ip containing fieldname is called in your data and also rename the sourcetype value if you are even searching by a sourcetype)
| inputcsv ip.csv | join type=left IPADDRESS [search sourcetype=somesourcetype | stats count(ipfieldname) AS IPCOUNT by ipfieldname | rename ipfieldname AS IPADDRESS] | search NOT IPCOUNT=*
This will pull in the full list of fixed ips then run a subsearch which gets a count for each unique ip that it finds in your indexed data. it will when join that ip count to the csv list leaving any IP's that dont have a count to be left with a null value for the IPCOUNT field. Then the end of the search it looks for any IPCOUNT that dont have a value which means it was not seen in the data.
There is probably a better way to do it but that's how off the top of my head i would do it.
How I would tackle this is create a single column csv file in var/run/splunk called ip.csv. Give it a header name called IPADDRESS. This should be the fixed list of IP's
Then I would do a search like below(rename ipfieldname with whatever the ip containing fieldname is called in your data and also rename the sourcetype value if you are even searching by a sourcetype)
| inputcsv ip.csv | join type=left IPADDRESS [search sourcetype=somesourcetype | stats count(ipfieldname) AS IPCOUNT by ipfieldname | rename ipfieldname AS IPADDRESS] | search NOT IPCOUNT=*
This will pull in the full list of fixed ips then run a subsearch which gets a count for each unique ip that it finds in your indexed data. it will when join that ip count to the csv list leaving any IP's that dont have a count to be left with a null value for the IPCOUNT field. Then the end of the search it looks for any IPCOUNT that dont have a value which means it was not seen in the data.
There is probably a better way to do it but that's how off the top of my head i would do it.
yep! 🙂 thx
Do you mean that given the list foo,bar,fiz,baz, if the results only have foo and bar, you want the report to show you fiz and baz?