Morning all,
In short I need to be able to run a CSV lookup search against all my Splunk logs to find all SessionID' s that relate to the unique identifier in my CSV (ID1).....and then use those SessionID's to search again and find a different Unique Identifier (ID2) held in the same logs.
I have no influence in the setup unfortunately... and i need to use the lookup first to isolate the right sessionID's belonging to ID1.
Finding the SessionID's associated with ID1 is fine, but i can't seem to run the search against the session ID's, and table ID2.
(effectively i need to table the results as we needs ID2 for further investigation.
Any thoughts (excuse the poor attempt below).
1st Lookup = * [inputlookup ID1.csv] detail.detail1!="detail1" AND detail.detail2="detail2" AND detail.Body="***" | table date_mday date_month ID1 SessionID
Updated search to include subsearcg (but i don't think it is pulling against the SessionID
* [inputlookup ID1.csv] detail.detail1!="detail1" AND detail.detail2="detail2" AND detail.Body="***" [search * SessionID]
| table date_mday date_month ID1 SessionID
Try something like this...
index="foo1" your other search terms not including sessionID or any time references
[
your search that takes the lookup and gets the events with those SessionIDs
| fields _time SessionID
| stats min(_time) as earliest max(_time) as latest by SessionID
]
| your search terms that process the events returned.
The search in square braces will equate to a complex test that looks like ....
( ( SessionId="value1" AND earliest="lowtime1" AND latest="hightime1" ) OR
( SessionId="value2" AND earliest="lowtime2" AND latest="hightime2" ) OR
( SessionId="value3" AND earliest="lowtime3" AND latest="hightime3" ) OR
... )