Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search a list of IPs between specific time ranges from a lookup CSV file?

rusty009
Path Finder
‎12-16-2015 03:06 AM

I am looking to search for a given value (an IP in this case) between a specific time range. This is easy to do as a one off, but I have a large number of IP’s I need to search for and would ideally like to have a lookup table, with the IP’s and date ranges and for it to be searched for automatically like the below search.csv lookup,

‘src’,’earliest’,’latest’
‘1.1.1.1’, 11/27/2015:10:00:00, 11/27/2015:11:00:00

but it doesn’t seem to be working. Am I doing something wrong? Is there a batter way to do this?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-16-2015 05:06 AM

I would drop the latest, and move the earliest field to the first column and rename it to datetime... etc.

Then in props.conf I'd use TIMESTAMP_FIELDS = datetime

http://docs.splunk.com/Documentation/Splunk/6.2.6/Admin/Propsconf

Then I'd index the csv instead of using it as a lookup.

Then you can do things like searching for a specific time frame... and you'll only see events from that time frame with the Ips from that time frame.

You can then do things like | stats min(datetime) by IP .... | timechart max(datetime) by IP ....

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎12-16-2015 05:06 AM

I would drop the latest, and move the earliest field to the first column and rename it to datetime... etc.

Then in props.conf I'd use TIMESTAMP_FIELDS = datetime

http://docs.splunk.com/Documentation/Splunk/6.2.6/Admin/Propsconf

Then I'd index the csv instead of using it as a lookup.

Then you can do things like searching for a specific time frame... and you'll only see events from that time frame with the Ips from that time frame.

You can then do things like | stats min(datetime) by IP .... | timechart max(datetime) by IP ....

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎12-16-2015 05:03 AM

Any relation to this question? https://answers.splunk.com/answers/334605/inputlookup-on-csv-including-date-ranges-in-csv-he.html

Is this a duplicate question written by a different member of your team?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...