I'm a Splunk rookie, so i apologize if I'm unclear on my question.
I have one index which contains, among other things, both a username and a clientip for each successful login. This index gets approximately 30,000 entries per hour.
I have a second index which contains, among other things, both the same username and the site (AMS or DAL) for each successful login. This index gets approximately 40,000 entries per hour.
What I need to accomplish is a 30-day search that will output a list of all unique IP addresses that connected to one of the sites, so I can GeoIP it and produce a list of countries-of-origin logging in to each site.
Here is the query that I've come up with. This works like a champ, if I search over a 15-minute interval. Problem is, I need to search over the past 30 days. How can I rewrite this to eliminate the need for a subsearch, allowing me to get to the results I need? Should I use a 'transaction' to do this or is that out of place too?
Again, Splunk rookie here... it's taken me hours to get this far, even though I expect there is a simple and obvious solution.
index=auth NOT clientip="10.*" [search index="product12" "Completed login" host="DAL*" | rex "(?i) for user (?P<username>[^ ]+)" | dedup username | fields username] | geoip clientip | dedup clientip
... View more