Re: Count IPs that match fields in two different ...

sbhuie · ‎07-22-2020

I need to create a search that counts IPs which return events for two different fields in the same index. Search 1 will not contain field1=ABC when Search 2 contains field2=123

Search 1:

index=weblogs field1=ABC

Search 2:

index=weblogs field2=123

richgalloway · ‎07-22-2020

If I understand the question correctly, this may get you started.

index=weblogs (field1=ABC OR field2=123)
| stats dc(IP)

---
If this reply helps you, Karma would be appreciated.

sbhuie · ‎07-22-2020

I think this will count if the IP has returned one of these fields, but I need to determine the number of unique IPs that have hit both of these fields.

bowesmana · ‎07-22-2020

You'll want this then

index=weblogs (field1=ABC OR field2=123)
| stats dc(field) as fieldOccurrence by IP
| where fieldOccurrence=2

This is counting how many fields there are by IP and then filtering out only those with both field occurrences.

Hope this helps.

sbhuie · ‎07-23-2020

Thank you for the response!

I may not be explaining this quite well, but I'll try to be a little more specific for this scenario-

I need to determine in the web logs how many unique IPs have hit a specific URL (field1=ABC) and also have visited a URL that generates a certain value in field2.

field1=ABC will not be present in the same log where field2=123. These logs are in the same index and sourcetype.

to4kawa · ‎07-23-2020

index=weblogs (field1=ABC OR field2=123)
| eval state=case(field1="ABC","field1",field2="123","field2")
| stats count(eval(state="field1")) as field1_count count(eval(state="field2")) as field2_count by IP

Your sample is wrong, can you fix it into an actual query?

How to count IPs that match fields in two different searches?

count

fields

join

stats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio