Sorry in advance to the newbie question but, is there a way to import a list of IP addresses into splunk search query?
For example, I come across a couple of pieces of malware and identify the call back addresses which could number into the dozens or even hundreds. I would like to be able to import a list with these addresses into Splunk and run those across my Web Logs looking for any activity.
Thanks
Have a look at lookups
in the docs, also the command inputcsv
or inputlookup
may prove fruitful;
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/5.0.1/SearchReference/Inputcsv
This is a prime example of what you could use a subsearch for. http://docs.splunk.com/Documentation/Splunk/5.0.2/Tutorial/Useasubsearch
Given a lookup table (yourlookuptable) with a list of ip's (field ip), you could do
[| inputlookup yourlookuptable | field ip]
editing again.....