topic How to find ip addresses which have both received and sent a message? in Splunk Search

How to find ip addresses which have both received and sent a message?

masoud — Mon, 22 Aug 2022 12:09:05 GMT

It is sort of like multiplying the set with itself and getting a subset in mathematical term.

my data is sth like this

src_ip dst_ip time X Y

1.1.1.1 2.2.2.2 1pm .. ...

2.2.2.2 3.3.3.3 3pm .. ...

Re: find ip addresses which have both received and sent a message

yuanliu — Mon, 22 Aug 2022 03:40:20 GMT

To get help in search forum, you really want to illustrate your data, or at least let people know which application/log your are referring to and pray that somebody here has worked on that same application/log.

Re: find ip addresses which have both received and sent a message

VatsalJagani — Mon, 22 Aug 2022 05:23:18 GMT

@masoud - This would be the simplest mathematical way to do it. (In Splunk though there could be a better way of doing depending on the data.)

I hope this helps!!! Karma would be appreciated!!!

Re: find ip addresses which have both received and sent a message

masoud — Mon, 22 Aug 2022 06:14:34 GMT

Thx mate. I update the question with more information about my data. could you please have a look?

Re: find ip addresses which have both received and sent a message

masoud — Mon, 22 Aug 2022 06:14:54 GMT

Thx mate. I update the question with more information about my data. could you please have a look?

Re: find ip addresses which have both received and sent a message

PickleRick — Mon, 22 Aug 2022 07:05:46 GMT

If I understand you correctly, you have in your events a source and destination fields and you want to find values which are present in both of those fields within your time range (which would mean that there was a connection to such an IP as well as from it).

There are probably many different approaches to such problem but I'd simply do

<your search>
| stats values(src_ip) as src_ip values(dst_ip) as dst_ip
| transpose
| rename "row 1" as IP
| mvexpand IP
| stats count by IP
| where count=2

Re: find ip addresses which have both received and sent a message

yuanliu — Tue, 23 Aug 2022 07:05:22 GMT

VatsalJagani and PickleRick's answers all should work. Here's an alternative:

| stats values(src_ip) as src_ip values(dst_ip) as dst_ip | eval src_ip_in_dst_ip = mvmap(src_ip, if(isnull(mvfind(dst_ip, "^" . src_ip . "$")), null(), src_ip))

Output using your sample data is

src_ip	dst_ip	src_ip_in_dst_ip
1.1.1.1 2.2.2.2	2.2.2.2 3.3.3.3	2.2.2.2