So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under ipaddr field and on index B the ip-addresses are under host_ip field.
What I want to do is to a) compare b) evaluate those fields (content) together.
I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.
index=a-index OR index=b-index | search ipaddr, hostip | eval results = if(match(ipaddr,hostip)), "hit", "miss") - does not work.
Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.
Keep in mind you have two different event flows: a-index and b-index, and therefore your match is not going to work. Match will compare fields within the same event and your event either belongs to a-index or b-index. You need to group your events first.
If you just want to find common IPs try the following instead (not tested):
index=a-index OR index=b-index | fields index, ipaddr, host_ip | dedup index, ipaddr, host_ip | rename ipaddr as host_ip | stats count by host_ip, index | where count > 1
Give this a try. In the main search below, make sure the IP fields are grouped with the proper index.
(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*) | eval ip=if(isnull(ipaddr),host_ip,ipaddr) | fields index ip | chart count(ip) AS count over ip by index | where a-index=b-index