Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to compare fields from two different event...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
corwinz6
Explorer
07-06-2011
02:57 PM
Hello,
I am trying to come up with a search to compare the IP address values from two different log types contained in the same sourcetype. i.e. sourcetype=firewall (type=traffic AND status!=deny) Grab src and compare to src in (type=emailfilter AND blacklist)
I would then chart values that aren't denied in traffic but are blacklisted in a table showing the top 10.
How/is it possible to compare the src field in the traffic log to the src field in the email log if the above conditions are true?
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Johnvey
Contributor
07-06-2011
05:18 PM
It sounds like you're trying to do an intersection of the following 2 searches:
(1) sourcetype=firewall (type=traffic AND status!=deny)
(2) sourcetype=firewall (type=emailfilter AND blacklist)
If that's true, then you can use stats to identify a field value for src that appears in both searches:
sourcetype=firewall (type=traffic AND status!=deny) OR (type=emailfilter AND blacklist) | stats count dc(type) as type_count by src | where type_count > 1 | sort count desc | head 10
This search assumes that the two searches actually produce mutually exclusive sets.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Johnvey
Contributor
07-06-2011
05:18 PM
It sounds like you're trying to do an intersection of the following 2 searches:
(1) sourcetype=firewall (type=traffic AND status!=deny)
(2) sourcetype=firewall (type=emailfilter AND blacklist)
If that's true, then you can use stats to identify a field value for src that appears in both searches:
sourcetype=firewall (type=traffic AND status!=deny) OR (type=emailfilter AND blacklist) | stats count dc(type) as type_count by src | where type_count > 1 | sort count desc | head 10
This search assumes that the two searches actually produce mutually exclusive sets.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
corwinz6
Explorer
07-07-2011
09:21 AM
Thanks, that looks to be working great. What prevents it from incrementing type_count when more than one event gets generated for (type=traffic AND status!=deny)with the same src value but no (type=emailfilter AND blacklist)?
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
