Hi Community,
Suppose I get a list of IPs once a week and I want to search all the indexes for these IPs. Is it possible to take a list of IPs, paste them into a field on a dashboard, click Submit to search all of the indexes (or maybe one or two from a dropdown) for any events? This includes Splunk automatically adding ORs between each IP.
Ideally, I want to copy and paste into a field, click submit and run the following query:
search index=* ( 10.0.0.1 OR 10.0.0.2 OR 10.0.0.3 )
Those results would be populated into a statistics table. Is there a more efficient way or is this even possible?
If you put this in your macros.conf
[ORify(1)]
args = x
definition = replace("$x$", "\s+", " OR ")
iseval = 1
you can paste your space-separated list of IPs into a text field and run this search:
index=* ( `ORify($IP_token$)` )
If you put this in your macros.conf
[ORify(1)]
args = x
definition = replace("$x$", "\s+", " OR ")
iseval = 1
you can paste your space-separated list of IPs into a text field and run this search:
index=* ( `ORify($IP_token$)` )
You can paste into a IPs.csv
file with a header line that says IP_Address
, upload the file as a lookup table
, then do something like this:
index=* [|inputcsv IP.csv | rename IP_Address AS query]