So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under ipaddr field and on index B the ip-addresses are under host_ip field.
What I want to do is to a) compare b) evaluate those fields (content) together.
I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.
index=a-index OR index=b-index | search ipaddr, host_ip | eval results = if(match(ipaddr,host_ip)), "hit", "miss") - does not work.
Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.
Ideas?
Give this a try. In the main search below, make sure the IP fields are grouped with the proper index.
(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)
| eval ip=if(isnull(ipaddr),host_ip,ipaddr)
| fields index ip
| chart count(ip) AS count over ip by index
| where a-index=b-index
Give this a try. In the main search below, make sure the IP fields are grouped with the proper index.
(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)
| eval ip=if(isnull(ipaddr),host_ip,ipaddr)
| fields index ip
| chart count(ip) AS count over ip by index
| where a-index=b-index
Thanks a bunch! Simple, yet powerful.
Keep in mind you have two different event flows: a-index and b-index, and therefore your match is not going to work. Match will compare fields within the same event and your event either belongs to a-index or b-index. You need to group your events first.
If you just want to find common IPs try the following instead (not tested):
index=a-index OR index=b-index
| fields index, ipaddr, host_ip
| dedup index, ipaddr, host_ip
| rename ipaddr as host_ip
| stats count by host_ip, index
| where count > 1