Splunk Search

Working with multiple rows of results?


Hey folks:

I'd like to do a little looping/grouping of search results but aren't familiar enough with Splunk commands to do so. Here's what I'm trying to do:

My search is -

sourcetype="radacct" Start | localop | geoip CALLING_IP | search User_Name="somename" | dedup CALLING_IP_latitude, CALLING_IP_longitude consecutive=true | table _time, CALLING_IP_latitude, CALLING_IP_longitude

And I get output like -

                 time        latitude   longitude
1 6/17/11 1:46:53.000 AM     30.2591    48.451
2 6/17/11 12:38:42.00 AM     32.7026    51.1537    
3 6/15/11 2:34:05.000 PM     35.6667    51.1667

I'd like to take two rows at a time of latitudes and longitudes and run them through an external lookup that gets the distance in miles between the two points. The external lookup is a python script and works great. I'm just not sure how to iterate through this search, grabbing pairs of rows to run a lookup on...

What I'd like to get after the lookup is something like:

                 time        latitude   longitude         miles
1 6/17/11 1:46:53.000 AM     30.2591    48.451
2 6/17/11 12:38:42.00 AM     32.7026    51.1537
3 6/15/11 2:34:05.000 PM     35.6667    51.166795

Thoughts on how to do this?

as you can imagine, i'm next going to take the time delta between the two rows and divide miles by time, and throw an alert above a threshold; people who travel 1000mph shouldn't need to be logging into VPN accounts 😉

Tags (2)
0 Karma


Have you tried converting your external lookup script into a custom search command? A search command would give you more flexibility in seeing/changing data inside the event stream. The API is a little different, but more suited to the purpose you are trying to achieve here.

0 Karma