Splunk Search

Compare Source IPs From Two Searches and Display Values

Communicator

Hello everyone,

I'm trying to do two searches and compare the source IPs from each search that are in two different fields and show me the IP value that has the same value in each of the two fields across the two searches.

The below gives me results but if I add | where src_ip=Source_Network_Address I get nothing.

This looks like a mess to me, I'm sure there is a more elegant way to do this?

sourcetype="tippingpoint" "kerberos: authentication error" | stats count(src_ip) by src_ip | sort  - count(src_ip) | appendcols [search sourcetype="wineventlog:security" | stats count(Source_Network_Address) by Source_Network_Address | sort - count(Source_Network_Address)]
0 Karma
1 Solution

Influencer

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip

View solution in original post

Influencer

If I understood your problem correctly, this search should give you the list of IP addresses occurring in both searches:

sourcetype="tippingpoint" "kerberos: authentication error" | dedup src_ip | fields src_ip | eval ip=src_ip | eval type=1 | append [ search sourcetype="wineventlog:security" | dedup Source_Network_Address | fields Source_Network_Address | eval ip=Source_Network_Address | eval type=2 ] | stats dc(type) as dctype by ip | where dctype>1 | table ip

View solution in original post

Explorer

Thank you so much, I have been breaking my brain and others too the whole week 😉 . can u explain the logic from stats. thanks in advance

0 Karma

Communicator

Thank you so much, I have been breaking my brain the whole day.

I knew I should have been doing dedup early in the search, then eval and something with append in the end but I'm more on the backend of Splunk and so frontend searches take me ages to do.

0 Karma