Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Compare Source IPs From Two Searches and Display Values

ephemeric
Contributor
‎06-03-2011 07:44 AM

Hello everyone,

I'm trying to do two searches and compare the source IPs from each search that are in two different fields and show me the IP value that has the same value in each of the two fields across the two searches.

The below gives me results but if I add | where src_ip=Source_Network_Address I get nothing.

This looks like a mess to me, I'm sure there is a more elegant way to do this?

sourcetype="tippingpoint" "kerberos: authentication error" | stats count(src_ip) by src_ip | sort  - count(src_ip) | appendcols [search sourcetype="wineventlog:security" | stats count(Source_Network_Address) by Source_Network_Address | sort - count(Source_Network_Address)]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-03-2011 08:09 AM

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-03-2011 08:09 AM

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip
Reply
Solved! Jump to solution

mahs33
Explorer
‎05-27-2016 04:39 AM

Thank you so much, I have been breaking my brain and others too the whole week 😉 . can u explain the logic from stats. thanks in advance

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎06-03-2011 08:23 AM

Thank you so much, I have been breaking my brain the whole day.

I knew I should have been doing dedup early in the search, then eval and something with append in the end but I'm more on the backend of Splunk and so frontend searches take me ages to do.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...