Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

strangelaw
Explorer
‎01-17-2016 07:56 AM

So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under ipaddr field and on index B the ip-addresses are under host_ip field.

What I want to do is to a) compare b) evaluate those fields (content) together.

I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.

index=a-index OR index=b-index | search ipaddr, host_ip | eval results = if(match(ipaddr,host_ip)), "hit", "miss") - does not work.

Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.

Ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 02:55 PM

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index. 

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index

View solution in original post

Reply
Solved! Jump to solution
Solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 02:55 PM

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index. 

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index
Reply
Solved! Jump to solution

strangelaw
Explorer
‎01-27-2016 08:36 AM

Thanks a bunch! Simple, yet powerful.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-17-2016 11:04 AM

Keep in mind you have two different event flows: a-index and b-index, and therefore your match is not going to work. Match will compare fields within the same event and your event either belongs to a-index or b-index. You need to group your events first.

If you just want to find common IPs try the following instead (not tested):

index=a-index OR index=b-index
| fields index, ipaddr, host_ip
| dedup index, ipaddr, host_ip
| rename ipaddr as host_ip 
| stats count by host_ip, index
| where count > 1
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...