I have a CSV (
current_assets.csv) with fields
ip (and tons of values for them). Here is an example:
device_name ip router1 220.127.116.11 laptop2 18.104.22.168
How do I search my index (
sourcetype="device_assets") for the CSV IPs and return whether or not each IP is found within the index?
An example result would be:
device_name ip found router1 22.214.171.124 Yes laptop2 126.96.36.199 No
Important note: The solution CANNOT use
|join command because this is very intensive/slow for my current deployment.
You could usee the inputcsv command. The syntax would be
sourcetype="device_assets" | inputcsv current_assets.csv
Documentation on this command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputcsv
This returns a "Error in 'inputcsv' command: This command must be the first command of a search" error.
|inputlookup current_assets.csv|eval source="lookup" | append [search index="your index" sourcetype="device_assets"|stats count by ip|fields ip|eval source="events"] | stats values(device_name) as device_name , values(source) as source by ip|where mvcount(source) >1 OR source="lookup" | eval found=if(mvcount(source)>1,"Yes","No")|fields - source