Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Working with multiple rows of results?

Mike_H
Engager
‎06-17-2011 01:53 AM

Hey folks:

I'd like to do a little looping/grouping of search results but aren't familiar enough with Splunk commands to do so. Here's what I'm trying to do:

My search is -

sourcetype="radacct" Start | localop | geoip CALLING_IP | search User_Name="somename" | dedup CALLING_IP_latitude, CALLING_IP_longitude consecutive=true | table _time, CALLING_IP_latitude, CALLING_IP_longitude

And I get output like -

                 time        latitude   longitude
1 6/17/11 1:46:53.000 AM     30.2591    48.451
2 6/17/11 12:38:42.00 AM     32.7026    51.1537    
3 6/15/11 2:34:05.000 PM     35.6667    51.1667

I'd like to take two rows at a time of latitudes and longitudes and run them through an external lookup that gets the distance in miles between the two points. The external lookup is a python script and works great. I'm just not sure how to iterate through this search, grabbing pairs of rows to run a lookup on...

What I'd like to get after the lookup is something like:

                 time        latitude   longitude         miles
1 6/17/11 1:46:53.000 AM     30.2591    48.451
2 6/17/11 12:38:42.00 AM     32.7026    51.1537
                                                          232.326
3 6/15/11 2:34:05.000 PM     35.6667    51.166795

Thoughts on how to do this?

as you can imagine, i'm next going to take the time delta between the two rows and divide miles by time, and throw an alert above a threshold; people who travel 1000mph shouldn't need to be logging into VPN accounts 😉

Tags (2)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎06-17-2011 05:09 AM

Have you tried converting your external lookup script into a custom search command? A search command would give you more flexibility in seeing/changing data inside the event stream. The API is a little different, but more suited to the purpose you are trying to achieve here.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...