Hi @gcusello, Thanks for your answer. It may be a txt file but not for the all events. I was looking for a splunk feature to do that but I guess there is not. I mean since we can run scripts on host via forwarder, I thought we can do more like fetching a file instead monitoring it. As you mentioned, it would be a security problem for enterprise 🙂 ... View more

The app shows you exactly how to do what you need to do. I think that learning is fun. ... View more

I think I have figured it out somehow but still don't know why is your search doesn't work as I wanted. Maybe If I upload some screenshots, It will be more clear for you. This is my first search with the output csv. -- `sourcetype=firewall action=pass action=proxy | bin _time span=5m | dedup srcip | eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S") | table Time, srcip, srcport, dstip | rename srcip AS IP | outputlookup vpn.csv` This is my 2nd search with the output csv. -- `index=server sourcetype=dhcp | lookup vpn.csv srcip AS dest_ip | search Time=* | eval event_time=strptime(Time,"%Y-%m-%d %H:%M:%S") | where _time < event_time | stats latest(dest_nt_host) as dest_nt_host max(_time) as _time by dest_ip | sort - _time | rename dest_ip AS IP | outputlookup vpn2.csv` And the result is like that -- `| inputlookup vpn.csv | join IP [inputlookup vpn2.csv] | outputlookup vpn3.csv` Now it works as I wanted. That's what I was trying to explain. But I'm still open for advices. Images don't show up somehow. ... View more

Hello, i'm facing the same issue while posting a question.. can someone help? ... View more

Oh It fits for my problem then. Yeah as You mentioned that join and subsearch consume much resource. This method is just I wanted. Thanks sir! ... View more