Splunk Search
Highlighted

inputcsv join results to a search

Builder

Greetings,

I know I must be close but missing something with this.

I have a CSV containing Group_Name which are VPN groups. I want to take that list of about 185 groups and use them to search our Cisco ASA for which groups are being used over a time period.

I have a form that does this one by one with the search to grab all the groups as:

|inputcsv ASA_VPN_Groups.csv | fields Group_Name

and the search to count the number of times accessed over the period as:

index=index01 VPN_Group=$Group_Name$ |timechart count(_raw) as num |stats sum(num)

Now I want to put them together into a table that will show me each group and how many times it has been used over the time period

Any suggestions will be very much appreciated.

Dave

Tags (3)
0 Karma
Highlighted

Re: inputcsv join results to a search

Esteemed Legend

LIke this:

 index=index01 [|inputcsv ASA_VPN_Groups.csv | rename Group_Name AS VPN_Group | fields VPN_Group] | timechart count(_raw) AS num BY VPN_Group

View solution in original post

Highlighted

Re: inputcsv join results to a search

Builder

Hmm, that just gives me the total number of times the VPN has been accessed (I assume by all groups).

Maybe I wasn't clear, I would like a table with groups and times accessed e.g.:

Group 1 --- 210
Group 2 --- 51
Group 3 --- 0
Group 4 --- 75
etc.

Thanks!

0 Karma
Highlighted

Re: inputcsv join results to a search

Esteemed Legend

Sorry, original answer re-edited.

0 Karma
Highlighted

Re: inputcsv join results to a search

Builder

OK! Now I am getting some groups to show as columns in a table with daily counts however, after 5 groups it is lumping the rest into "Other".

Also is there a way to not show daily but just the cumulative number of all days AND put the groups down the vertical as Rows?

See my ASCII "art" above 😉

Thanks so much!

0 Karma
Highlighted

Re: inputcsv join results to a search

Esteemed Legend

Like this:

index=index01 [|inputcsv ASA_VPN_Groups.csv | rename Group_Name AS VPN_Group | fields VPN_Group] | stats count(_raw) AS num BY VPN_Group
Highlighted

Re: inputcsv join results to a search

Builder

You got it!

Thanks so much!!!!

0 Karma