Archive
Highlighted

Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

Explorer

So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under ipaddr field and on index B the ip-addresses are under host_ip field.

What I want to do is to a) compare b) evaluate those fields (content) together.

I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.

index=a-index OR index=b-index | search ipaddr, hostip | eval results = if(match(ipaddr,hostip)), "hit", "miss") - does not work.

Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.

Ideas?

0 Karma
Highlighted

Re: Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

SplunkTrust
SplunkTrust

Keep in mind you have two different event flows: a-index and b-index, and therefore your match is not going to work. Match will compare fields within the same event and your event either belongs to a-index or b-index. You need to group your events first.

If you just want to find common IPs try the following instead (not tested):

index=a-index OR index=b-index
| fields index, ipaddr, host_ip
| dedup index, ipaddr, host_ip
| rename ipaddr as host_ip 
| stats count by host_ip, index
| where count > 1
Highlighted

Re: Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

Splunk Employee
Splunk Employee

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index.

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index

View solution in original post

Highlighted

Re: Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

Explorer

Thanks a bunch! Simple, yet powerful.

0 Karma