I am trying to run a search against proxylogs to find any events that contain any IP listed in a certain CSV file, but am having absolutely no luck.
I have created and uploaded a CSV file (attached at the end of this post with the real values changed) as a lookup table by uploading it as a lookup file and then adding a definition for it. I have run dozens of different searches based on examples I found online, but can't seem to get any to work! The best answer I could find online was this:
index=proxylogs
| fields client_ip
| lookup ip_list.csv ip OUTPUT ip AS ip_out
| search ip_out=*
But it returns no results! Keeping in mind that I am certain the IPs listed in my CSV are definitely in the proxylogs, what could I be doing wrong?
Going crazy here so any and all help is appreciated!
Sample csv:
ip_list.csv
ip
10.53.13.101
10.23.32.113
10.49.39.124
Your base search has a 'client_ip' field, but the lookup command is using the non-existent 'ip' field. Try ... | lookup ip_list.csv ip AS client_ip OUTPUT ip AS ip_out | ...
Your base search has a 'client_ip' field, but the lookup command is using the non-existent 'ip' field. Try ... | lookup ip_list.csv ip AS client_ip OUTPUT ip AS ip_out | ...
You are amazing, thank you.
Mind a follow up question? Would it be possible to only return the first recorded event instance (chronologically oldest) for each IP listed in the csv? I have an idea that it would be possible just not quite sure how difficult it would be.
Try either stats earliest(ip_out)
or stats last(ip_out)
.