- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Given a list of ip addresses, tell me which ones a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, is there a way to make a saved report that, given a fixed list of ip addresses, the report tells me which ones do not appear in a splunk search? Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How I would tackle this is create a single column csv file in var/run/splunk called ip.csv. Give it a header name called IPADDRESS. This should be the fixed list of IP's
Then I would do a search like below(rename ipfieldname with whatever the ip containing fieldname is called in your data and also rename the sourcetype value if you are even searching by a sourcetype)
| inputcsv ip.csv | join type=left IPADDRESS [search sourcetype=somesourcetype | stats count(ipfieldname) AS IPCOUNT by ipfieldname | rename ipfieldname AS IPADDRESS] | search NOT IPCOUNT=*
This will pull in the full list of fixed ips then run a subsearch which gets a count for each unique ip that it finds in your indexed data. it will when join that ip count to the csv list leaving any IP's that dont have a count to be left with a null value for the IPCOUNT field. Then the end of the search it looks for any IPCOUNT that dont have a value which means it was not seen in the data.
There is probably a better way to do it but that's how off the top of my head i would do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How I would tackle this is create a single column csv file in var/run/splunk called ip.csv. Give it a header name called IPADDRESS. This should be the fixed list of IP's
Then I would do a search like below(rename ipfieldname with whatever the ip containing fieldname is called in your data and also rename the sourcetype value if you are even searching by a sourcetype)
| inputcsv ip.csv | join type=left IPADDRESS [search sourcetype=somesourcetype | stats count(ipfieldname) AS IPCOUNT by ipfieldname | rename ipfieldname AS IPADDRESS] | search NOT IPCOUNT=*
This will pull in the full list of fixed ips then run a subsearch which gets a count for each unique ip that it finds in your indexed data. it will when join that ip count to the csv list leaving any IP's that dont have a count to be left with a null value for the IPCOUNT field. Then the end of the search it looks for any IPCOUNT that dont have a value which means it was not seen in the data.
There is probably a better way to do it but that's how off the top of my head i would do it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yep! 🙂 thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mean that given the list foo,bar,fiz,baz, if the results only have foo and bar, you want the report to show you fiz and baz?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
