I want to find any IP addr present in numerous sourcetypes. That is, the IP Addr MUST be present in ALL sourcetypes: Will this search return ALL IP Addr that occur in BOTH of my sourcetypes, excluding internal hosts?
sourcetype=A_LOG Source_IP!=10.star [search sourcetype=B_LOG Source_IP!=10.star]
thanks jeffland, richgalloway, and chimell for your assistance
Hi leotoa
Try this search code
|set union[search sourcetype=A_LOG NOT Source_IP=10.* |fields Source_IP][search sourcetype=B_LOG NOT Source_IP=10.*|fields Source_IP ] |table Source_IP
It can also be done without subsearches and joins (if you care for runtime and required ressources, for example):
sourcetype=A_LOG OR sourcetype=B_LOG NOT Source_IP=10.* | stats dc(sourcetype) AS dc by Source_IP | where dc = 2 | fields Source_IP
This should look for any ip not from 10.* in either sourcetype. If the distinct count of each sourcetype of an ip is not 2, then this ip is not in both sourcetypes (and vice versa).
I would do it similarly to the way jeffland has mentioned. I would change Source_IP!=10.* though to to Source_IP!=10.0.0.0/8 since Splunk is CIDR aware and this, in theory, will perform slightly faster. Depending on things like volume of logs and timerange you might actually find it works faster to bring back all the source IPs and then filter them out (yes counter intuitive).
sourcetype=A_LOG OR sourcetype=B_LOG Source_IP=* | where Source_IP!=10.0.0.0/8 | stats dc(sourcetype) AS dc by Source_IP | where dc = 2 | fields Source_IP
This will avoid the subsearch.
(sourcetype=A_LOG OR sourcetype=B_LOG) NOT Source_IP=10.*
but this will find IP ADDR that occur in EITHER A_LOG or in B-LOG. I need the Source_IP to occur in both??
My mistake. That will take a subsearch.
sourcetype=A_LOG NOT Source_IP=10.* | join type=inner Source_IP [ search sourcetype=B_LOG NOT Source_IP=10.*]