I have a list of source and destination IPs that I'm trying to concatenate into one unique list and check against a CSV file. I'm trying to make a list of all the unique source IPs (I don't need the count, but it'd be nice), add that to a list of unique destination IPs, then take all that and display only the IPs that match a CSV file I have. Does anyone have an idea of how to do that?
Like this:
... | dedup myIPfield | table myIPfield | eval dataSource="events" | appendpipe [|inputcsv myIPfile.csv | table myIPfield | eval dataSource="CSV"] | stats values(*) AS * dc(dataSource) AS numSources BY myIPfield ...
Then you can finish out with:
For inner join:
| where numSources=2
For left join:
| where dataSource="events"
For right join:
| where dataSource="CSV"
For outer join:
| where numSources=1
What you're trying to do is definitely possible but it would be tough to give a solution without knowing your data (is source and dest ip present in same event, how is the CSV file stored in splunk;)...
Like this:
... | dedup myIPfield | table myIPfield | eval dataSource="events" | appendpipe [|inputcsv myIPfile.csv | table myIPfield | eval dataSource="CSV"] | stats values(*) AS * dc(dataSource) AS numSources BY myIPfield ...
Then you can finish out with:
For inner join:
| where numSources=2
For left join:
| where dataSource="events"
For right join:
| where dataSource="CSV"
For outer join:
| where numSources=1