Hey Splunkers,
Long time lurker first-time poster. I'm doing something similar but looking up IP addresses for brute force attacks. I'm sure I'm hitting a snag with my: |eval IP=mvindex(Source_address,0)
The .csv is pretty straightforward:
Source_address; count
10.0.0.5; 50
10.0.0.1; 2
10.0.0.4; 4
I get values back with my search but validating them, there are some discrepencies
index=yes success=1 ipaddress=*
| table ipaddress
| dedup ipaddress
| rename ipaddress as IP
| dedup IP
| eval From=1
| append
[| inputlookup ohyes.csv
| table Source_address
| eval IP=mvindex(Source_address,0)
| table *
| eval From=2]
| stats sum(From) as From by IP
| eval status=case(From=3, "Present in both", From=1, "Only in search", 1=1, "Only in CSV")
| where status="Present in both"
| table IP status
Any help would be greatly appreciated!
... View more