×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
tnegun
Engager
Member since: ‎05-14-2024
‎05-17-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-14-2024
View All

Re: Use each row of a csv as an individual search ...

by in Splunk Search
‎05-15-2024 03:37 AM
‎05-15-2024 03:37 AM
Apologies there was a typo as I renamed fields to try generalize this is the search I'm trying     index=myindex ip earliest latest [| inputlookup ip_list_2.csv | eval ip = "*" . 'Extracted IP' . "*" | eval earliest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")-(60*60) | eval latest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")+(60*60) | fields ip earliest latest ]     This is an sample of the csv REQUEST_TIME Extracted IP 3/29/24 16:13 1.1.1.1 3/14/24 8:51 2.2.2.2 1/26/24 13:24 3.3.3.3   I had though the search was running like this and stopped it index=myindex (ip=1.1.1.1 OR ip =2.2.2.2 OR ip=3.3.3.3) earliest=1/26/24 13:24 latest =3/29/24 16:13 . I only want to report on IP 1.1.1.1's activity at 3/29/24 16:13 and not any other time. Thanks I'll try the suggestions and report back. ... View more

Use each row of a csv as an individual search and ...

by in Splunk Search
‎05-14-2024 11:25 AM
‎05-14-2024 11:25 AM
Hi all, I've a csv file with 3 columns ip, earliest, latest and over 400 rows.  I'm trying to return all evens associated with the IP for an hour before and after the interesting request time.  The search below works for a single row but I can't figure out how treat each row as a unique search and compile the results at the end.  What appears to happen when I upload multiple rows in the csv is the search will run for all interesting IPs from the earliest earliest value to the latest latest value. It kind of meets the intent but is very wasteful as the index is huge and the times span several years with days/months between them. Is what I'm trying to achieve possible? index=myindex client_ip_address earliest latest [| inputlookup ip_list_2.csv | eval ip = "*" . 'Extracted IP' . "*" | eval earliest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")-(60*60) | eval latest=strptime('REQUEST_TIME', "%m/%d/%y %H:%M")+(60*60) | fields ip earliest latest ] ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-17-2024 07:23 PM
Karma given to
View All