Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how do you search for matching events between two groups of IP addresses?

jeremy_fade
New Member
‎10-25-2018 09:20 AM

I am trying to search for events that contain one IP from each of the two groups of IP addresses. For instance:

index=main sourcetype=* | 
search ("10.10.10.10" OR "30.30.30.30" OR "50.50.50.50" OR "70.70.70.70" OR "90.90.90.90") AND
("20.20.20.20" OR "40.40.40.40" OR "60.60.60.60" OR "80.80.80.80")

I am not specifying the source type or fields because I also want to search through multiple source types.

I couldn't find an answer similar to this issue. I also looked at subsearches, but didn't see how they would solve this.

0 Karma
Reply

valiquet
Contributor
‎10-28-2018 07:54 AM

index=main sourcetype=* | lookup ips AS ips OUTPUT ips1 ips2 | mvexpand ips1 ips2 | stats values(_raw) count DC(ips) AS dc by ips1,ips2 | where dc==1

I can't test it since you don't have logs.

0 Karma
Reply

cmerriman
Super Champion
‎10-25-2018 09:53 AM

is it possible for you to share some sample data and sample output of what you're looking for? scrubbed of pii/phi?

0 Karma
Reply

jeremy_fade
New Member
‎10-25-2018 11:44 AM

Negative. Company policy.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...