Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count IPs that match fields in two different searches?

sbhuie
New Member
‎07-22-2020 12:53 PM

I need to create a search that counts IPs which return events for two different fields in the same index. Search 1 will not contain field1=ABC when Search 2 contains field2=123

Search 1:

index=weblogs field1=ABC

Search 2:

index=weblogs field2=123
Labels (4)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2020 01:38 PM

If I understand the question correctly, this may get you started.

index=weblogs (field1=ABC OR field2=123)
| stats dc(IP)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

sbhuie
New Member
‎07-22-2020 01:44 PM

I think this will count if the IP has returned one of these fields, but I need to determine the number of unique IPs that have hit both of these fields.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-22-2020 09:07 PM

You'll want this then

index=weblogs (field1=ABC OR field2=123)
| stats dc(field) as fieldOccurrence by IP
| where fieldOccurrence=2

This is counting how many fields there are by IP and then filtering out only those with both field occurrences.

Hope this helps.

 

0 Karma
Reply

sbhuie
New Member
‎07-23-2020 05:31 AM

Thank you for the response!

I may not be explaining this quite well, but I'll try to be a little more specific for this scenario-

 

I need to determine in the web logs how many unique IPs have hit a specific URL (field1=ABC) and also have visited a URL that generates a certain value in field2. 

field1=ABC will not be present in the same log where field2=123. These logs are in the same index and sourcetype.

0 Karma
Reply

to4kawa
Ultra Champion
‎07-23-2020 10:19 AM

index=weblogs (field1=ABC OR field2=123)
| eval state=case(field1="ABC","field1",field2="123","field2")
| stats count(eval(state="field1")) as field1_count count(eval(state="field2")) as field2_count by IP

Your sample is wrong, can you fix it into an actual query?

 

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...