Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count IPs that match fields in two different searches?

sbhuie
New Member
‎07-22-2020 12:53 PM

I need to create a search that counts IPs which return events for two different fields in the same index. Search 1 will not contain field1=ABC when Search 2 contains field2=123

Search 1:

index=weblogs field1=ABC

Search 2:

index=weblogs field2=123
Labels (4)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2020 01:38 PM

If I understand the question correctly, this may get you started.

index=weblogs (field1=ABC OR field2=123)
| stats dc(IP)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sbhuie
New Member
‎07-22-2020 01:44 PM

I think this will count if the IP has returned one of these fields, but I need to determine the number of unique IPs that have hit both of these fields.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-22-2020 09:07 PM

You'll want this then

index=weblogs (field1=ABC OR field2=123)
| stats dc(field) as fieldOccurrence by IP
| where fieldOccurrence=2

This is counting how many fields there are by IP and then filtering out only those with both field occurrences.

Hope this helps.

 

0 Karma
Reply

sbhuie
New Member
‎07-23-2020 05:31 AM

Thank you for the response!

I may not be explaining this quite well, but I'll try to be a little more specific for this scenario-

 

I need to determine in the web logs how many unique IPs have hit a specific URL (field1=ABC) and also have visited a URL that generates a certain value in field2. 

field1=ABC will not be present in the same log where field2=123. These logs are in the same index and sourcetype.

0 Karma
Reply

to4kawa
Ultra Champion
‎07-23-2020 10:19 AM

index=weblogs (field1=ABC OR field2=123)
| eval state=case(field1="ABC","field1",field2="123","field2")
| stats count(eval(state="field1")) as field1_count count(eval(state="field2")) as field2_count by IP

Your sample is wrong, can you fix it into an actual query?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...