Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search for all events for IP address within a CSV file

umarfarooq
Explorer
‎11-16-2017 12:33 PM

I would like to know how we can search for all events for a list of IP in a CSV file.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-16-2017 01:41 PM

Without much information here, my suggestion would be this:

Search based on a field (assuming each event have a field called IP_Address, adjust per your situation)

index=foo sourcetype=bar   [| inputlookup yourcsvfile.csv | table IP_Address ]

String based search (no fields are extracted, searching IP address in the raw data)

index=foo sourcetype=bar   [| inputlookup yourcsvfile.csv | table IP_Address | rename IP_Address as search ]

View solution in original post

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎11-16-2017 01:42 PM

If you have a CSV file called ip.csv with a column called IP in Splunk, you can feed it into a search like this:
index=myindex [ | inputlookup ip.csv | stats values(IP) AS search | format ]

That will turn each IP address from ip.csv into a seach term. So if your CSV file looked like this:

IP

1.2.3.4

2.3.4.5

3.4.5.6

Then the above search would wind up searching for this: index=myindex ("1.2.3.4" OR "2.3.4.5" OR "3.4.5.6")

Reply
Solved! Jump to solution

umarfarooq
Explorer
‎11-16-2017 01:58 PM

Thank you very much.

This solved my problem.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-16-2017 01:41 PM

Without much information here, my suggestion would be this:

Search based on a field (assuming each event have a field called IP_Address, adjust per your situation)

index=foo sourcetype=bar   [| inputlookup yourcsvfile.csv | table IP_Address ]

String based search (no fields are extracted, searching IP address in the raw data)

index=foo sourcetype=bar   [| inputlookup yourcsvfile.csv | table IP_Address | rename IP_Address as search ]
Reply
Solved! Jump to solution

umarfarooq
Explorer
‎11-16-2017 01:59 PM

Hi.

Sorry for being a bit vague, I'm very new to Splunk and its search language.

I've marking this as a solution.

Thanks for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...