Solved: Help searching a CSV file with multiple conditions

adecroix · ‎10-10-2017

Hi,

I spent a lot of hours to find the request I need with no success so I ask your help.

My goal is to build a request with multiple fields condition values extract from a CSV.

I have a CSV file with the below construction

| inputlookup nios_member_ip_lookup | fields MEMBER_IP

MEMBER_IP
192.168.1.xx1
192.168.3.xx2
192.168.1.xx5
192.168.1.xx7
192.168.1.xx0
192.168.xx.x0
192.168.x.xx5
192.168.x.xx0
192.168.x.xx0
192.168.x.xx3

Based on this result, I would have all results from each defined value for a field like:

index=ib_dns_summary report=si_dns_top_clients CLIENT=@IP1 OR CLIENT=@IP2 OR CLIENT=@IP3 ...

So I think I need to build a subsearch request, but I failed to do that. I tried this:

index=ib_dns_summary report=si_dns_top_clients CLIENT="$member_ip" [| inputlookup nios_member_ip_lookup | fields MEMBER_IP | rename MEMBER_IP as member_ip]

Thanks a lot for your help.

pradeepkumarg · ‎10-10-2017

index=ib_dns_summary report=si_dns_top_clients  [| inputlookup nios_member_ip_lookup | fields MEMBER_IP | rename MEMBER_IP as CLIENT | table CLIENT | format]

View solution in original post

pradeepkumarg · ‎10-10-2017

index=ib_dns_summary report=si_dns_top_clients  [| inputlookup nios_member_ip_lookup | fields MEMBER_IP | rename MEMBER_IP as CLIENT | table CLIENT | format]

adecroix · ‎10-11-2017

Works fine, thanks a lot for your help 🙂

Help searching a CSV file with multiple conditions

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?