Hi,
I have been asked to create a search (and then a report) that shows vpn logins for the last XX minutes (probably going back 1- 4 hours). I have that search - it returns 4 fields, and it could return a few thousand rows (maybe, 3-5). I then have to merge the login id with a lookup file that already exists with the individuals location, bu.... and then present that info in trends.
My question is what is the better approach - reading the input file and then using Splunk to extract the relevant login id's and additional information, or querying Splunk first, get the login id's, and then query the input lookup. (Are both of these even possible?) The lookup file is about 75k rows, and 150 fields (of which, I only want 10).
Hope this makes sense.
TIA...
↧