Splunk Search

How to count IPs that match fields in two different searches?

sbhuie
New Member

I need to create a search that counts IPs which return events for two different fields in the same index. Search 1 will not contain field1=ABC when Search 2 contains field2=123

Search 1:

index=weblogs field1=ABC

Search 2:

index=weblogs field2=123
Labels (4)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

If I understand the question correctly, this may get you started.

index=weblogs (field1=ABC OR field2=123)
| stats dc(IP)
---
If this reply helps you, Karma would be appreciated.
0 Karma

sbhuie
New Member

I think this will count if the IP has returned one of these fields, but I need to determine the number of unique IPs that have hit both of these fields.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You'll want this then

index=weblogs (field1=ABC OR field2=123)
| stats dc(field) as fieldOccurrence by IP
| where fieldOccurrence=2

This is counting how many fields there are by IP and then filtering out only those with both field occurrences.

Hope this helps.

 

0 Karma

sbhuie
New Member

Thank you for the response!

I may not be explaining this quite well, but I'll try to be a little more specific for this scenario-

 

I need to determine in the web logs how many unique IPs have hit a specific URL (field1=ABC) and also have visited a URL that generates a certain value in field2. 

field1=ABC will not be present in the same log where field2=123. These logs are in the same index and sourcetype.

0 Karma

to4kawa
Ultra Champion

index=weblogs (field1=ABC OR field2=123)
| eval state=case(field1="ABC","field1",field2="123","field2")
| stats count(eval(state="field1")) as field1_count count(eval(state="field2")) as field2_count by IP

Your sample is wrong, can you fix it into an actual query?

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...