Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Search for all events for IP address within a CSV ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
umarfarooq
Explorer
11-16-2017
12:33 PM
I would like to know how we can search for all events for a list of IP in a CSV file.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-16-2017
01:41 PM
Without much information here, my suggestion would be this:
Search based on a field (assuming each event have a field called IP_Address, adjust per your situation)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address ]
String based search (no fields are extracted, searching IP address in the raw data)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address | rename IP_Address as search ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
elliotproebstel
Champion
11-16-2017
01:42 PM
If you have a CSV file called ip.csv with a column called IP in Splunk, you can feed it into a search like this:
index=myindex [ | inputlookup ip.csv | stats values(IP) AS search | format ]
That will turn each IP address from ip.csv into a seach term. So if your CSV file looked like this:
IP
1.2.3.4
2.3.4.5
3.4.5.6
Then the above search would wind up searching for this:
index=myindex ("1.2.3.4" OR "2.3.4.5" OR "3.4.5.6")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
umarfarooq
Explorer
11-16-2017
01:58 PM
Thank you very much.
This solved my problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-16-2017
01:41 PM
Without much information here, my suggestion would be this:
Search based on a field (assuming each event have a field called IP_Address, adjust per your situation)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address ]
String based search (no fields are extracted, searching IP address in the raw data)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address | rename IP_Address as search ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
umarfarooq
Explorer
11-16-2017
01:59 PM
Hi.
Sorry for being a bit vague, I'm very new to Splunk and its search language.
I've marking this as a solution.
Thanks for your help.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
