i have 221180 ips in csv(deattackerv1.csv) with only one field "ip" .. where i want to check if we have any hit in splunk for that ip's in given one index .. How can we achieve that ..
below is the query .. but i am getting error as "Subsearch produced 221180 results, truncating to maxout 10000."
index=*_abc | search [| inputlookup deattackerv1.csv | table ip | rename ip as src_ip] | stats count by src_ip,index
Note:- src_ip is one column in index=*_abc .
I have tried below as well ..
index=*_abc
| stats count as eventcount by src_ip,index
| append [| inputlookup deattackerv1.csv | table ip | rename ip as src_ip]
| eventstats values(index) as indexes
| eval index=if(isnull(index),indexes,index)
| table eventcount src_ip index
| mvexpand index
| stats count as sourcecount values(eventcount) as eventcount by src_ip index
| where sourcecount > 1
| table src_ip eventcount index
but getting error as INFO MESSAGES:
[subsearch]: Subsearch produced 221180 results, truncating to maxout 50000.
You're close
Do this instead:
This will use the
inputlookupthe way you want it to (ie, only match IPs that are in it)