Splunk Search

Compare two fields (IP addresss) from 2 different vendor firewalls

rookie507SL
New Member

Hi mates,

I'm figuring out how I can show a table with matching IP addresses from 2 different vendor firewalls.

So far I've tried with the "join" statement in order to do a 2nd search and then, an if statement in order to compare. Here is my search:

index=index-company sourcetype=firewall1  NOT srcIP=172.20.* | stats count by srcIP | sort 10 -count | rename srcIP as "srcfw1" | join [search index=index-company sourcetype=firewall2  NOT srcIP2=172.20.* | stats count by srcIP2 | sort 10 -count ] | eval DiffIP=if(srcfw1==srcIP2, srcIP2 ,srcfw1) | table srcfw1 DiffIP

Unfortunately, I do not get results 😞

Any help would be appreciated.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi
Can you please try this?

index=index-company sourcetype=firewall1 NOT srcIP=172.20. 
| stats count by srcIP 
| sort 10 - count | eval N1=1 | accum N1
| rename srcIP as "srcfw1" 
| append 
    [ search index=index-company sourcetype=firewall2 NOT srcIP2=172.20. 
    | stats count by srcIP2 
    | sort 10 - count | eval N1=1 | accum N1] 
| stats values(srcIP) as srcIP values(srcIP2) as srcIP2 values(srcfw1) as srcfw1 by N1
| eval DiffIP=if(srcfw1==srcIP2, srcIP2 ,srcfw1) 
| table srcfw1 DiffIP

can you make sure your individual search will return values?

Thanks

0 Karma

rookie507SL
New Member

Hi kamlesh_vaghela,

Thanks for your reply, I really appreciate.

I'm able to get a table in the statistics tab with the 2 fields, srcfw1 and DiffIP but, IP addresses do not match. Actually, when I look for the Events tab, I only see 1 sourcetype.

If I do both searches independently, I can see that results march some IP addresses in both searches.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi rookie507SL,

Yes, event tab will show you only events of the first search. It will not show you events of any subsearches.
So you can't compare event tab IP Addresses to our search output.

To execute individually & compare is the best approach to do so.

For more clarification in comparision of IP Address and there count try below search.

index=index-company sourcetype=firewall1 NOT srcIP=172.20. 
 | stats count by srcIP 
 | sort 10 - count | eval N1=1 | accum N1
 | rename srcIP as "srcfw1", count as count1 
 | append 
     [ search index=index-company sourcetype=firewall2 NOT srcIP2=172.20. 
     | stats count by srcIP2 
     | sort 10 - count | eval N1=1 | accum N1 | rename count as count2 ] 
 | stats values(srcIP) as srcIP values(srcIP2) as srcIP2 values(srcfw1) as srcfw1 values(count1) as count1 values(count2) as count2 by N1
 | eval DiffIP=if(srcfw1==srcIP2, srcIP2 ,srcfw1) 
 | table N1 DiffIP srcfw1 count1 srcIP2 count2

This will give you clear comparision of firewall data with count of events for perticular IP.

Thanks

0 Karma

HiroshiSatoh
Champion

Try this!

| set diff 
[search  index=index-company sourcetype=firewall1 NOT srcIP=172.20. | stats count by srcIP |rename  srcIP as DiffIP| sort 10 -count |table DiffIP] 
[search  index=index-company sourcetype=firewall2 NOT srcIP2=172.20. | stats count by srcIP2|rename  srcIP2 as DiffIP| sort 10 -count  |table DiffIP]

※Please be careful when increasing the number of sub search because there is a limit of 10000 defaults.

0 Karma

rookie507SL
New Member

Hi HiroshiSatoh,

Yes, thanks for your reply.

When I do the "set diff", I actually get some IP addresses for the DiffIP table in the statistics tab, but cannot confirm if this data comes from the 2 firewalls (2 sourcetypes) since I cannot see logs in the Event tab.

0 Karma

HiroshiSatoh
Champion

How about this?

index=index-company sourcetype=firewall1 NOT srcIP=172.20. 
 | stats count by srcIP 
 | sort 10 - count | eval wk_srcIP=srcIP  
 | append 
     [ search index=index-company sourcetype=firewall2 NOT srcIP2=172.20. 
     | stats count by srcIP2 
     | sort 10 - count |  | eval wk_srcIP=srcIP2] 
 | stats dc(sourcetype) as count,values(sourcetype) as sourcetype by wk_srcIP
 | where count<2
 | table sourcetype ,wk_srcIP
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...