Splunk Search

compare a previous result

Path Finder

I have created a search for my VPN users, when they connect, from where they connect (SRC IP) and geoip that IP to lookup the country, city, state.

What I would like to do now is to be able to store that value, and the next time that user logs in so that I would be able to display their last IP, and Geo location information, so I can build a trend as to if that user is logging in from the same place or not.

Any way to do this?


Re: compare a previous result


You could have your search results output to a csv file and then use that file as a lookup table in the future.

Here is a answer that talks about this idea, although the question is different: Lookup table populating from a saved search

Here is some info from the documentation (but you may need to read a little more about lookups, too):
Use Search Results to Populate a Lookup Table

View solution in original post