Archive

I want to obtain IP addresses that is not duplicated.

Explorer

I want to get IP addresses that is not duplicated

There is two example search that A and B.

A search is
index=AV "VirusAlert" | field CLIENTIP | dedup CLIENTIP

B search is
index=AV "Remove" | field CLIENTIP | dedup CLIENTIP

I want to get IP addresses except IP addresses in result B.

Tags (1)
0 Karma
1 Solution

Motivator

The simple query can be

index=AV "VirusAlert" | dedup CLIENTIP | table CLIENTIP | search NOT [|search index=AV "Remove" | dedup CLIENTIP | table CLIENTIP] | table CLIENTIP

View solution in original post

0 Karma

Champion

Check this, from a similar post -

Source1
192.168.0.1
192.168.0.2
192.168.0.3
Source2
192.168.0.1
192.168.0.2
192.168.0.4
192.168.0.5

Output
192.168.0.3

index=AV "VirusAlert" earliest=-1h | field CLIENTIP | dedup CLIENTIP |  eval ip=VirusAlert_ip | eval source1="Y" | table ip source1 
| join ip type=outer [search index=AV "Remove" earliest=-1h| field CLIENTIP | dedup CLIENTIP | eval ip=Remove_ip |
 eval source2 = "Y" | table ip source2 ] 

After you run this command, you should have 3 columns of output: ip source1 source2

The ip column will be the ip address, of course. The source1 column will contain Y if the ip address existed in source1, and the source2 column will contain Y if the ip address existed in source2. To go further, you could append the following to the search to get the variations that you want

To only show IPs that appear in both, add:
| where source1 = "Y" AND source2 = "Y"

To only show IPs that appear ONLY in source1, add:
| where source1 = "Y" AND source2 != "Y"

You get the idea. There might be a more efficient way to do this, but this gives you a "base search" that is pretty flexible. You could even put the "base search" in a macro, which would make it even easier to type.

Note the use of earliest=-1h in the two searches; this will keep your working data size under reasonable control, and help keep the search reasonably quick.

0 Karma

Explorer

Thank you for your advice!
It is very helpful for me.

0 Karma

Motivator

The simple query can be

index=AV "VirusAlert" | dedup CLIENTIP | table CLIENTIP | search NOT [|search index=AV "Remove" | dedup CLIENTIP | table CLIENTIP] | table CLIENTIP

View solution in original post

0 Karma

Explorer

wow so simple!
thank you for your help. : )

0 Karma