Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Compare Source IPs From Two Searches and Display Values

ephemeric
Contributor
‎06-03-2011 07:44 AM

Hello everyone,

I'm trying to do two searches and compare the source IPs from each search that are in two different fields and show me the IP value that has the same value in each of the two fields across the two searches.

The below gives me results but if I add | where src_ip=Source_Network_Address I get nothing.

This looks like a mess to me, I'm sure there is a more elegant way to do this?

sourcetype="tippingpoint" "kerberos: authentication error" | stats count(src_ip) by src_ip | sort  - count(src_ip) | appendcols [search sourcetype="wineventlog:security" | stats count(Source_Network_Address) by Source_Network_Address | sort - count(Source_Network_Address)]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-03-2011 08:09 AM

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-03-2011 08:09 AM

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip
Reply
Solved! Jump to solution

mahs33
Explorer
‎05-27-2016 04:39 AM

Thank you so much, I have been breaking my brain and others too the whole week 😉 . can u explain the logic from stats. thanks in advance

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎06-03-2011 08:23 AM

Thank you so much, I have been breaking my brain the whole day.

I knew I should have been doing dedup early in the search, then eval and something with append in the end but I'm more on the backend of Splunk and so frontend searches take me ages to do.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...