Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how do you search for matching events between two groups of IP addresses?

jeremy_fade
New Member
‎10-25-2018 09:20 AM

I am trying to search for events that contain one IP from each of the two groups of IP addresses. For instance:

index=main sourcetype=* | 
search ("10.10.10.10" OR "30.30.30.30" OR "50.50.50.50" OR "70.70.70.70" OR "90.90.90.90") AND
("20.20.20.20" OR "40.40.40.40" OR "60.60.60.60" OR "80.80.80.80")

I am not specifying the source type or fields because I also want to search through multiple source types.

I couldn't find an answer similar to this issue. I also looked at subsearches, but didn't see how they would solve this.

0 Karma
Reply

valiquet
Contributor
‎10-28-2018 07:54 AM

index=main sourcetype=* | lookup ips AS ips OUTPUT ips1 ips2 | mvexpand ips1 ips2 | stats values(_raw) count DC(ips) AS dc by ips1,ips2 | where dc==1

I can't test it since you don't have logs.

0 Karma
Reply

cmerriman
Super Champion
‎10-25-2018 09:53 AM

is it possible for you to share some sample data and sample output of what you're looking for? scrubbed of pii/phi?

0 Karma
Reply

jeremy_fade
New Member
‎10-25-2018 11:44 AM

Negative. Company policy.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...