Splunk Search

Compare IP_address field in 2 indexes and ignore the data with the same values / or matches and display the rest.

learningnow
New Member

Want to run a report by comparing 2 indexes on " IP_Addresses" field.

Ignore any matching " IP addresses" (If IP are present in both indexes then ignore else display in query / report)
or
list any unique " IP addresses" in either index (If present in one but not in one of the other index)

in last 7 days.

Thanks in advance.

0 Karma
1 Solution

renjith_nair
Legend

@learningnow ,

Try

(index=1 OR index=2) | stats dc(index) as count by IP_Addresses|where count < 2
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@learningnow ,

Try

(index=1 OR index=2) | stats dc(index) as count by IP_Addresses|where count < 2
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...