Hey folks:
I'd like to do a little looping/grouping of search results but aren't familiar enough with Splunk commands to do so. Here's what I'm trying to do:
My search is -
sourcetype="radacct" Start | localop | geoip CALLING_IP | search User_Name="somename" | dedup CALLING_IP_latitude, CALLING_IP_longitude consecutive=true | table _time, CALLING_IP_latitude, CALLING_IP_longitude
And I get output like -
time latitude longitude
1 6/17/11 1:46:53.000 AM 30.2591 48.451
2 6/17/11 12:38:42.00 AM 32.7026 51.1537
3 6/15/11 2:34:05.000 PM 35.6667 51.1667
I'd like to take two rows at a time of latitudes and longitudes and run them through an external lookup that gets the distance in miles between the two points. The external lookup is a python script and works great. I'm just not sure how to iterate through this search, grabbing pairs of rows to run a lookup on...
What I'd like to get after the lookup is something like:
time latitude longitude miles
1 6/17/11 1:46:53.000 AM 30.2591 48.451
2 6/17/11 12:38:42.00 AM 32.7026 51.1537
232.326
3 6/15/11 2:34:05.000 PM 35.6667 51.166795
Thoughts on how to do this?
as you can imagine, i'm next going to take the time delta between the two rows and divide miles by time, and throw an alert above a threshold; people who travel 1000mph shouldn't need to be logging into VPN accounts 😉
Have you tried converting your external lookup script into a custom search command? A search command would give you more flexibility in seeing/changing data inside the event stream. The API is a little different, but more suited to the purpose you are trying to achieve here.