https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529532#M149561 <P>Hi.<BR /><BR />I have an alert that'll tell me if a host is down, and it runs for both Active and Standby hosts.<BR /><BR />The issue is that when the standby host hasn't received a log,&nbsp; I'd like to run a search to see if the active host has received a log in the last 24 hours, and if so to ignore it.<BR /><BR />I can run a search for all IPs, but what I cant seem to do is see if 198.0.0.2 is down, to check for 198.0.0.1 (the Active is always -1 from Standby)<BR /><BR />I thought something like this might work, but no.<BR /><BR /></P><P>index=* host=*<BR />[search index="*" host=198.0.0.2</P><P>|rex field=host "(?&lt;Net&gt;\d+\.\d+\.\d+)\.(?&lt;Host&gt;\d+)"<BR />|eval Host2 = (Host-1)<BR />|eval newhost= Net. "." .Host2<BR />|fields newhost]<BR />|where host=newhost<BR /><BR />any and all help appreciated</P> Mon, 16 Nov 2020 13:12:42 GMT logginz85 2020-11-16T13:12:42Z https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529532#M149561 <P>Hi.<BR /><BR />I have an alert that'll tell me if a host is down, and it runs for both Active and Standby hosts.<BR /><BR />The issue is that when the standby host hasn't received a log,&nbsp; I'd like to run a search to see if the active host has received a log in the last 24 hours, and if so to ignore it.<BR /><BR />I can run a search for all IPs, but what I cant seem to do is see if 198.0.0.2 is down, to check for 198.0.0.1 (the Active is always -1 from Standby)<BR /><BR />I thought something like this might work, but no.<BR /><BR /></P><P>index=* host=*<BR />[search index="*" host=198.0.0.2</P><P>|rex field=host "(?&lt;Net&gt;\d+\.\d+\.\d+)\.(?&lt;Host&gt;\d+)"<BR />|eval Host2 = (Host-1)<BR />|eval newhost= Net. "." .Host2<BR />|fields newhost]<BR />|where host=newhost<BR /><BR />any and all help appreciated</P> Mon, 16 Nov 2020 13:12:42 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529532#M149561 logginz85 2020-11-16T13:12:42Z https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529563#M149576 <P>Splunk has a hard time finding things that aren't there.&nbsp; In this case, if host 198.0.0.2 isn't found then there will be no host field from which to extract sub-fields and, so, no newhost field.&nbsp;&nbsp;</P><P>If you run the subsearch by itself with "| format" added then you'll see what it returns to the main search.</P> Mon, 16 Nov 2020 15:47:38 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529563#M149576 richgalloway 2020-11-16T15:47:38Z https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529572#M149579 <P>Hi, that makes sense, and |format helped me realise it wasn't pulling through right.&nbsp;<BR /><BR />That lead me onto this.<BR /><BR />index="*" host = *<BR />| eval standbyhost = "198.0.0.2"<BR />| rex field=standbyhost "(?&lt;Net&gt;\d+\.\d+\.\d+)\.(?&lt;Host&gt;\d+)"<BR />| eval Host2 = (Host-1)<BR />| eval newhost= Net. "." .Host2<BR />| where host = newhost<BR /><BR />I create a new field "standbyhost" that is the value of the standby host I already know. I apply this to all results.<BR />Then I do maths to lower this IP by 1, and create the new field newhost.<BR /><BR />Now every rsult has their host as their own host IP, but the field newvalue of the target I'm looking for.<BR /><BR />Then its just a where host=newhost to find it.<BR /><BR />Seeing as this will actually pull the value of standbyhost from a field in an alert, I think this'll work.</P><P><BR /><BR /></P> Mon, 16 Nov 2020 16:34:08 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529572#M149579 logginz85 2020-11-16T16:34:08Z https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529586#M149584 <P>If your problem is resolved, then please click the "Accept as Solution" button to help future readers.</P> Mon, 16 Nov 2020 17:56:48 GMT https://community.splunk.com/t5/Splunk-Search/Search-for-an-adjacent-IP-address/m-p/529586#M149584 richgalloway 2020-11-16T17:56:48Z