Splunk Search

How do you obtain an attribute present in numerous sourcetypes?

leotoa
New Member

I want to find any IP addr present in numerous sourcetypes. That is, the IP Addr MUST be present in ALL sourcetypes: Will this search return ALL IP Addr that occur in BOTH of my sourcetypes, excluding internal hosts?

sourcetype=A_LOG Source_IP!=10.star [search sourcetype=B_LOG Source_IP!=10.star]

Tags (2)
0 Karma

leotoa
New Member

thanks jeffland, richgalloway, and chimell for your assistance

0 Karma

chimell
Motivator

Hi leotoa
Try this search code

|set union[search sourcetype=A_LOG  NOT Source_IP=10.* |fields Source_IP][search sourcetype=B_LOG NOT Source_IP=10.*|fields Source_IP ] |table Source_IP
0 Karma

jeffland
SplunkTrust
SplunkTrust

It can also be done without subsearches and joins (if you care for runtime and required ressources, for example):

sourcetype=A_LOG OR sourcetype=B_LOG NOT Source_IP=10.* | stats dc(sourcetype) AS dc by Source_IP | where dc = 2 | fields Source_IP

This should look for any ip not from 10.* in either sourcetype. If the distinct count of each sourcetype of an ip is not 2, then this ip is not in both sourcetypes (and vice versa).

Runals
Motivator

I would do it similarly to the way jeffland has mentioned. I would change Source_IP!=10.* though to to Source_IP!=10.0.0.0/8 since Splunk is CIDR aware and this, in theory, will perform slightly faster. Depending on things like volume of logs and timerange you might actually find it works faster to bring back all the source IPs and then filter them out (yes counter intuitive).

sourcetype=A_LOG OR sourcetype=B_LOG Source_IP=* | where  Source_IP!=10.0.0.0/8 | stats dc(sourcetype) AS dc by Source_IP | where dc = 2 | fields Source_IP
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This will avoid the subsearch.

(sourcetype=A_LOG OR sourcetype=B_LOG) NOT Source_IP=10.*
---
If this reply helps you, Karma would be appreciated.
0 Karma

leotoa
New Member

but this will find IP ADDR that occur in EITHER A_LOG or in B-LOG. I need the Source_IP to occur in both??

0 Karma

richgalloway
SplunkTrust
SplunkTrust

My mistake. That will take a subsearch.

sourcetype=A_LOG NOT Source_IP=10.* | join type=inner Source_IP [ search sourcetype=B_LOG NOT Source_IP=10.*]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...