Hello Splunkers,
Help me please. I need a search to generate daily report looking for user's traffic in internal logs. I got an csv file generated daily by an external system what contains username, and an start-end time period like this:
report.csv user,start_time,end_time user1,8,16 user2,8,20
I have to insert this three field per user into my search. I am using inputlookup to catch the "user" field this way:
[base search] | search user=*[|inputlookup "report.csv" |fields user ]* | table x,y,z,user
It works, shows only the user'related logs, could be one or more users i csv. The problem i canno handle yet is about the additionl fileds. I had an idea to add an extra field with "eval" cmd, but doesn't work. So how can I read rest of the data form an external csv file?
thanks
... View more