Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

strangelaw
Explorer
‎01-17-2016 07:56 AM

So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under ipaddr field and on index B the ip-addresses are under host_ip field.

What I want to do is to a) compare b) evaluate those fields (content) together.

I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.

index=a-index OR index=b-index | search ipaddr, host_ip | eval results = if(match(ipaddr,host_ip)), "hit", "miss") - does not work.

Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.

Ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 02:55 PM

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index. 

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index

View solution in original post

Reply
Solved! Jump to solution
Solution

dcarmack_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 02:55 PM

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index. 

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index
Reply
Solved! Jump to solution

strangelaw
Explorer
‎01-27-2016 08:36 AM

Thanks a bunch! Simple, yet powerful.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-17-2016 11:04 AM

Keep in mind you have two different event flows: a-index and b-index, and therefore your match is not going to work. Match will compare fields within the same event and your event either belongs to a-index or b-index. You need to group your events first.

If you just want to find common IPs try the following instead (not tested):

index=a-index OR index=b-index
| fields index, ipaddr, host_ip
| dedup index, ipaddr, host_ip
| rename ipaddr as host_ip 
| stats count by host_ip, index
| where count > 1
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...