Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare search results to a list?

Log_wrangler
Builder
‎07-24-2018 07:47 AM

I have waf logs for an application that provides userID and srcIP which I pipe to geoinfo to get the city state country info.
I have an "active_list" that provides userID, account_city, account_state, account_country.

index=someApp sourcetype=WAF | [inputlookup active_list.csv | fields userID] | table srcIP userID| geoip srcIP

Now I want to find a way that I can compare the geoip info, which outputs a "srcIP_city" to the active_list "account_city" and see all matches and non-matches.

I have been testing some methods but no luck. I am thinking I need results to go to an outputlookup and then compare the two lists.

I have tried this but I am not sure if this is correct

index=someApp sourcetype=WAF  (some key words) | table userID srcIP | geoip srcIP | table usrID srcIP srcIP_city srcIP_state srcIP_country | lookup active_list.csv userID

Here I am running my basic search first and listing field by userID, which makes it easy to see when the srcIP_city and account_city doesn't match.
But I am not sure if this is correct. Please advise, thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-24-2018 11:56 AM

Give this a try

index=someApp sourcetype=WAF  [ | inputlookup active_list.csv | fields userID] | table srcIP userID
| geoip srcIP 
 lookup active_list userID OUTPUT account_city
| eval result=if(account_city!=srcIP_city,"City Not Same","Same")

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-24-2018 11:56 AM

Give this a try

index=someApp sourcetype=WAF  [ | inputlookup active_list.csv | fields userID] | table srcIP userID
| geoip srcIP 
 lookup active_list userID OUTPUT account_city
| eval result=if(account_city!=srcIP_city,"City Not Same","Same")
0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎07-24-2018 01:12 PM

I really needed the OUTPUT example, and It works ( I added a pipe before the lookup) but the results are not consistent. I think there is a formatting issue or something because the result says "City Not Same" when they are...

0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎07-24-2018 01:46 PM

after eval src_ip and userID to upper, it works... fyi

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...