topic compare 2 field different source type in Splunk Search

compare 2 field different source type

pgabriel10 — Fri, 10 Sep 2021 21:55:02 GMT

Hello guys,

I have the VPN log and network log.

- In VPN log's it's possible to show IP and USERNAME
- In Network log it's possible to show what's site the IP access.

I need to comparare 2 fields ( IP VPN [src_ip] , IP Network [SRC]) if the field is the same i will add the user.

I Tried this:

index=security host=homolog (sourcetype=vpn_log OR sourcetype=network_log) | where src_ip=SRC | eval username_acess=user | table username_acess,SRC,dst

But doesnt work.

Another way is:

| eval field1=SRC,field2=src_ip | eval results1=if(field1=field2,"Yes","No") | eval results2=if(match(field1,field2),"Yes","No") | where match(field1,field2)

I think the error is because the sourcetype is different.

Could you help me ?

Re: compare 2 field different source type

ITWhisperer — Fri, 10 Sep 2021 22:54:20 GMT

It doesn't work because splunk works on a pipeline of events - your events come from different source types so the fields extracted in one sourcetype may not exist in the other source type. You can rename one of the fields so it has the same name as the other sourcetype and then either join or use stats to collate the information from the different sourcetypes.

index=security host=homolog (sourcetype=vpn_log OR sourcetype=network_log) | rename src_ip as SRC | stats values(user) as username_access values(dst) as dst by SRC | table username_acess,SRC,dst

Re: compare 2 field different source type

pgabriel10 — Sat, 11 Sep 2021 03:10:42 GMT

I tried but doesnt work. The dst field is blank. Just show the username and SRC.

Re: compare 2 field different source type

ITWhisperer — Sat, 11 Sep 2021 08:25:02 GMT

The dst field came from your example - if it is not filled, you should look at your extractions