Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use each row of a csv as an individual search and return the results in a table

tnegun
Engager
‎05-14-2024 11:25 AM

Hi all,

I've a csv file with 3 columns ip, earliest, latest and over 400 rows.  I'm trying to return all evens associated with the IP for an hour before and after the interesting request time.  The search below works for a single row but I can't figure out how treat each row as a unique search and compile the results at the end. 

What appears to happen when I upload multiple rows in the csv is the search will run for all interesting IPs from the earliest earliest value to the latest latest value. It kind of meets the intent but is very wasteful as the index is huge and the times span several years with days/months between them.

Is what I'm trying to achieve possible?

index=myindex client_ip_address earliest latest
[| inputlookup ip_list_2.csv
| eval ip = "*" . 'Extracted IP' . "*"
| eval earliest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")-(60*60)
| eval latest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")+(60*60)
| fields ip earliest latest
]
Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-14-2024 04:55 PM

What @ITWhisperer , but I suspect your problem is that you have 

client_ip_address earliest latest

in your initial search term, which I am guessing corresponds to ip earliest latest in your lookup. If your data contains a field called ip and that is what you are calling client_ip_address, then remove client_ip_address also from your search.

If your data contains a field called client_ip_address and that is supposed to be a match for the ip in the lookup, then in your subsearch rename ip as client_ip_address.

Reply

tnegun
Engager
‎05-15-2024 03:37 AM

Apologies there was a typo as I renamed fields to try generalize this is the search I'm trying

 

 

index=myindex ip earliest latest
[| inputlookup ip_list_2.csv
| eval ip = "*" . 'Extracted IP' . "*"
| eval earliest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")-(60*60)
| eval latest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")+(60*60)
| fields ip earliest latest
]

 

 

This is an sample of the csv

REQUEST_TIMEExtracted IP
3/29/24 16:131.1.1.1
3/14/24 8:51

2.2.2.2

1/26/24 13:24

3.3.3.3

 

I had though the search was running like this and stopped it

index=myindex (ip=1.1.1.1 OR ip =2.2.2.2 OR ip=3.3.3.3) earliest=1/26/24 13:24 latest =3/29/24 16:13 .

I only want to report on IP 1.1.1.1's activity at 3/29/24 16:13 and not any other time.

Thanks I'll try the suggestions and report back.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2024 03:56 PM

I am not sure what the problem is if it works! Having said that, I am not sure what the earliest and latest are doing on the index line. Try something like this

index=myindex client_ip_address
[| inputlookup ip_list_2.csv
| eval ip = "*" . 'Extracted IP' . "*"
| eval earliest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")-(60*60)
| eval latest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")+(60*60)
| fields ip earliest latest
]

The subsearch becomes a series of (ip=value AND earliest=value AND latest=value) joined by ORs which is what you appear to want. Or am I missing something?

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...