Splunk Search

Why am I unable to use a CSV lookup table as input for my search?

I am trying to run a search against proxylogs to find any events that contain any IP listed in a certain CSV file, but am having absolutely no luck.

I have created and uploaded a CSV file (attached at the end of this post with the real values changed) as a lookup table by uploading it as a lookup file and then adding a definition for it. I have run dozens of different searches based on examples I found online, but can't seem to get any to work! The best answer I could find online was this:

index=proxylogs 
 | fields client_ip
 | lookup ip_list.csv ip OUTPUT ip AS ip_out
 | search ip_out=*

But it returns no results! Keeping in mind that I am certain the IPs listed in my CSV are definitely in the proxylogs, what could I be doing wrong?

Going crazy here so any and all help is appreciated!

Sample csv:

ip_list.csv

ip
10.53.13.101
10.23.32.113
10.49.39.124

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Your base search has a 'clientip' field, but the lookup command is using the non-existent 'ip' field. Try `... | lookup iplist.csv ip AS clientip OUTPUT ip AS ipout | ...`

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

Your base search has a 'clientip' field, but the lookup command is using the non-existent 'ip' field. Try `... | lookup iplist.csv ip AS clientip OUTPUT ip AS ipout | ...`

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

You are amazing, thank you.

Mind a follow up question? Would it be possible to only return the first recorded event instance (chronologically oldest) for each IP listed in the csv? I have an idea that it would be possible just not quite sure how difficult it would be.

0 Karma

SplunkTrust
SplunkTrust

Try either stats earliest(ip_out) or stats last(ip_out).

---
If this reply helps you, an upvote would be appreciated.