I would like to know how we can search for all events for a list of IP in a CSV file.
Without much information here, my suggestion would be this:
Search based on a field (assuming each event have a field called IP_Address, adjust per your situation)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address ]
String based search (no fields are extracted, searching IP address in the raw data)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address | rename IP_Address as search ]
If you have a CSV file called ip.csv with a column called IP
in Splunk, you can feed it into a search like this:
index=myindex [ | inputlookup ip.csv | stats values(IP) AS search | format ]
That will turn each IP address from ip.csv into a seach term. So if your CSV file looked like this:
IP
1.2.3.4
2.3.4.5
3.4.5.6
index=myindex ("1.2.3.4" OR "2.3.4.5" OR "3.4.5.6")
Thank you very much.
This solved my problem.
Without much information here, my suggestion would be this:
Search based on a field (assuming each event have a field called IP_Address, adjust per your situation)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address ]
String based search (no fields are extracted, searching IP address in the raw data)
index=foo sourcetype=bar [| inputlookup yourcsvfile.csv | table IP_Address | rename IP_Address as search ]
Hi.
Sorry for being a bit vague, I'm very new to Splunk and its search language.
I've marking this as a solution.
Thanks for your help.