Splunk Search

I want to obtain IP addresses that is not duplicated.

superhm
Explorer

I want to get IP addresses that is not duplicated

There is two example search that A and B.

A search is
index=AV "VirusAlert" | field CLIENTIP | dedup CLIENTIP

B search is
index=AV "Remove" | field CLIENTIP | dedup CLIENTIP

I want to get IP addresses except IP addresses in result B.

Tags (1)
0 Karma
1 Solution

hardikJsheth
Motivator

The simple query can be

index=AV "VirusAlert" | dedup CLIENTIP | table CLIENTIP | search NOT [|search index=AV "Remove" | dedup CLIENTIP | table CLIENTIP] | table CLIENTIP

View solution in original post

0 Karma

inventsekar
Ultra Champion

Check this, from a similar post -

Source1
192.168.0.1
192.168.0.2
192.168.0.3
Source2
192.168.0.1
192.168.0.2
192.168.0.4
192.168.0.5

Output
192.168.0.3

index=AV "VirusAlert" earliest=-1h | field CLIENTIP | dedup CLIENTIP |  eval ip=VirusAlert_ip | eval source1="Y" | table ip source1 
| join ip type=outer [search index=AV "Remove" earliest=-1h| field CLIENTIP | dedup CLIENTIP | eval ip=Remove_ip |
 eval source2 = "Y" | table ip source2 ] 

After you run this command, you should have 3 columns of output: ip source1 source2

The ip column will be the ip address, of course. The source1 column will contain Y if the ip address existed in source1, and the source2 column will contain Y if the ip address existed in source2. To go further, you could append the following to the search to get the variations that you want

To only show IPs that appear in both, add:
| where source1 = "Y" AND source2 = "Y"

To only show IPs that appear ONLY in source1, add:
| where source1 = "Y" AND source2 != "Y"

You get the idea. There might be a more efficient way to do this, but this gives you a "base search" that is pretty flexible. You could even put the "base search" in a macro, which would make it even easier to type.

Note the use of earliest=-1h in the two searches; this will keep your working data size under reasonable control, and help keep the search reasonably quick.

0 Karma

superhm
Explorer

Thank you for your advice!
It is very helpful for me.

0 Karma

hardikJsheth
Motivator

The simple query can be

index=AV "VirusAlert" | dedup CLIENTIP | table CLIENTIP | search NOT [|search index=AV "Remove" | dedup CLIENTIP | table CLIENTIP] | table CLIENTIP
0 Karma

superhm
Explorer

wow so simple!
thank you for your help. : )

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...