Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare Source IPs From Two Searches and Display Values

ephemeric
Contributor
‎06-03-2011 07:44 AM

Hello everyone,

I'm trying to do two searches and compare the source IPs from each search that are in two different fields and show me the IP value that has the same value in each of the two fields across the two searches.

The below gives me results but if I add | where src_ip=Source_Network_Address I get nothing.

This looks like a mess to me, I'm sure there is a more elegant way to do this?

sourcetype="tippingpoint" "kerberos: authentication error" | stats count(src_ip) by src_ip | sort  - count(src_ip) | appendcols [search sourcetype="wineventlog:security" | stats count(Source_Network_Address) by Source_Network_Address | sort - count(Source_Network_Address)]
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-03-2011 08:09 AM

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎06-03-2011 08:09 AM

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip
Reply
Solved! Jump to solution

mahs33
Explorer
‎05-27-2016 04:39 AM

Thank you so much, I have been breaking my brain and others too the whole week 😉 . can u explain the logic from stats. thanks in advance

0 Karma
Reply
Solved! Jump to solution

ephemeric
Contributor
‎06-03-2011 08:23 AM

Thank you so much, I have been breaking my brain the whole day.

I knew I should have been doing dedup early in the search, then eval and something with append in the end but I'm more on the backend of Splunk and so frontend searches take me ages to do.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...