Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search query that finds a field value (eg A) that have mismatched field value(B) and field value (C)?

man03359
Communicator
‎09-18-2023 02:57 AM

Hi All,

Below is my search query -

index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic")
| stats latest(_time) values(srcname) as src latest(app) as app by src_ip
| lookup Stores_Inventory src_ip OUTPUT Device
| table src_ip Device src app

 I have 3 fields src_ip, src and device. I am getting the field values for src from the first 2 lines of the query -

index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic")
| stats latest(_time) values(srcname) as src latest(app) as app by src_ip

 I am trying to build a search query that finds src_ips that have mismatched src name and device name.

 

Thanks in advance.

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

man03359
Communicator
‎09-25-2023 04:59 AM

Hi @gcusello ,

I was able to figure out the query which worked for me-

 

index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic") * [| inputlookup  Stores_Inventory
| search Device="stp*"
| return 1601 src_ip]
| stats latest(_time) values(srcname) as src latest(app) as app by src_ip
| lookup Stores_Inventory src_ip OUTPUT Device
| eval Device = lower(Device)  
| eval src=lower(src)
| where isnotnull(Device) AND isnotnull(src)
| rex field=src "(?i)^(?<src>.*?)(?:\..*)?$"
| where src!=Device 
| table src_ip Device src app

 

Thanks for the Help, really appreciate it 🙂 🙂

Ciao.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2023 03:08 AM

Hi @man03359,

what do you mean with "src_ips that have mismatched src name and device name."?

Maybe src_ips that have different src_name or different device_name?

if this is your requirement, please try this:

index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic")
| lookup Stores_Inventory src_ip OUTPUT Device
| stats 
   latest(_time) AS latest
   values(srcname) as srcname 
   latest(app) as app 
   dc(srcname) AS srcname_count
   dc(Device) AS Device_count
   BY src_ip
| where srcname_count>1 OR Device_count>1
| table src_ip Device src app

In this way you'll list all the src_ips with more than one name or device.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

man03359
Communicator
‎09-19-2023 05:23 AM

Hi @gcusello ,

What I am trying to do it create search query that finds src_ip when the field values of two fields, src and device matches with the below output.

src field values I am getting from --

index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic")
| stats latest(_time) values(srcname) as src latest(app) as app by src_ip 

and device field value I am getting from lookup -

| lookup Stores_Inventory src_ip OUTPUT Device
| table src_ip Device src app

hope this is clear!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2023 05:27 AM

Hi @man03359,

only for confirmation: you need to filter the main search using two fields from a lookup (src_ip and Device), is it correct?

if this is your requirement, you have to use a subsearch with inputlookup:

index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic") [ | inputlookup Stores_Inventory | fields src_ip Device ]
| stats latest(_time) values(srcname) as src latest(app) as app by src_ip

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

man03359
Communicator
‎09-25-2023 04:59 AM

Hi @gcusello ,

I was able to figure out the query which worked for me-

 

index="idx-network-firewall" (sourcetype="fgt_traffic" OR sourcetype="fortigate_traffic") * [| inputlookup  Stores_Inventory
| search Device="stp*"
| return 1601 src_ip]
| stats latest(_time) values(srcname) as src latest(app) as app by src_ip
| lookup Stores_Inventory src_ip OUTPUT Device
| eval Device = lower(Device)  
| eval src=lower(src)
| where isnotnull(Device) AND isnotnull(src)
| rex field=src "(?i)^(?<src>.*?)(?:\..*)?$"
| where src!=Device 
| table src_ip Device src app

 

Thanks for the Help, really appreciate it 🙂 🙂

Ciao.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-25-2023 05:27 AM

Hi @man03359 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...