Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

strangelaw
Explorer
‎01-17-2016 07:56 AM

So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under ipaddr field and on index B the ip-addresses are under host_ip field.

What I want to do is to a) compare b) evaluate those fields (content) together.

I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.

index=a-index OR index=b-index | search ipaddr, host_ip | eval results = if(match(ipaddr,host_ip)), "hit", "miss") - does not work.

Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.

Ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 02:55 PM

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index. 

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index

View solution in original post

Reply
Solved! Jump to solution
Solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 02:55 PM

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index. 

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index
Reply
Solved! Jump to solution

strangelaw
Explorer
‎01-27-2016 08:36 AM

Thanks a bunch! Simple, yet powerful.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-17-2016 11:04 AM

Keep in mind you have two different event flows: a-index and b-index, and therefore your match is not going to work. Match will compare fields within the same event and your event either belongs to a-index or b-index. You need to group your events first.

If you just want to find common IPs try the following instead (not tested):

index=a-index OR index=b-index
| fields index, ipaddr, host_ip
| dedup index, ipaddr, host_ip
| rename ipaddr as host_ip 
| stats count by host_ip, index
| where count > 1
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...