Solved: how do I specify a search where different fields f...

reneedeleon · ‎05-10-2019

how do I specify a search where different fields for hostA and hostB when they are identified as IP addresses

I want to only pull stats for hostA and hostB when they are only identified as IP addresses and other specific names

index=stuff* blah OR blahblah  
| fillnull value=NULL hostA, hostB
| where match(hosA,"(\d{1,3}\.}{3}\d{1,3})")
| where match(hostB,"(\d{1,3}\.}{3}\d{1,3})")
| stats count by hostA, hostB

and

index=stuff* blah OR blahblah  
| fillnull value=NULL hostA, hostB
| regex hostA="^(\d{1,3}\.}{3}\d{1,3}).*"
| regex hostB="^(\d{1,3}\.}{3}\d{1,3}).*"
| stats count by hostA, hostB

I have tried both and neither turn up results am I taking the right approach?

woodcock · ‎05-10-2019

Like this:

index=stuff* blah OR blahblah  
| where match(hostA, "^\d+.\d+.\d+.\d+") AND match(hostB, "^\d+.\d+.\d+.\d+")
| fillnull value="NULL" hostA, hostB
| stats count BY hostA hostB

View solution in original post

woodcock · ‎05-10-2019

Like this:

index=stuff* blah OR blahblah  
| where match(hostA, "^\d+.\d+.\d+.\d+") AND match(hostB, "^\d+.\d+.\d+.\d+")
| fillnull value="NULL" hostA, hostB
| stats count BY hostA hostB

reneedeleon · ‎05-20-2019

Thank you, but I had to make a small change.

| where match(hostA, "^\d+.\d+.\d+.\d+") AND match(hostB, "^\d+.\d+.\d+.\d+")

woodcock · ‎05-20-2019

I fixed my answer, too. I initially copied yours in your question and it is broken there, too.

how do I specify a search where different fields for hostA and hostB when they are identified as IP addresses

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)