Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to track consecutive and dua...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
krishnacasso
Path Finder
02-22-2017
12:17 PM
Trying to make a table to track login of a user at same time from different IP.
[AzA][][host][12/Mar/2017:**15:28:29** -0600][Agentname][asfafaadvwegwegwevw][**USER=abc**][2412-34234-32235-2323-341342-234234][automatic][as124-4f12c2-fef3-f23f23f3f34d]
[**24.00.00.242**][/abc/aed/dsd][method][][][][qwrqwqsasasdaqwawsadsas][][protect][][][][][]
[AzA][][host][12/Mar/2017:**15:28:40** -0600][Agentname][asfafaadvwegwegwevw][**USER=abc**][2412-34234-32235-2323-341342-234234][automatic][as124-4f12c2-fef3-f23f23f3f34d]
[**23.00.00.4**][/abc/aed/dsd][method][][][][qwrqwqsasasdaqwawsadsas][][protect][][][][][]
[AzA][][host][12/Mar/2017:**15:28:55** -0600][Agentname][asfafaadvwegwegwevw][**USER=abc**][2412-34234-32235-2323-341342-234234][automatic][as124-4f12c2-fef3-f23f23f3f34d][**234.234.244.242**][/abc/aed/dsd][method][][][][qwrqwqsasasdaqwawsadsas][][protect][][][][][]
I am trying to make a table with IP like below(Only USER having different IP in log at same second).
USER IP1 Time City IP2 Time City TIMEDifference(sec)
abc 24.00.00.242 15:28:29 City1 23.00.00.4 15:28:40 City2 11
I am trying something like below and not sure to join them and get the city field of two IP.
basesearch ip!="" USER!="" | rename USER AS login| rename ip AS Address | iplocation allfields=true eval first_t=strftime(_time, "%Y-%m-%d %H:%M:%S") |
eval prev_t=strftime(prev_t, "%Y-%m-%d %H:%M:%S") | first(ipAddress) as IP1 by login | second(ipAddress) as IP2 by login
What command I can use to divide the IP as IP1 and IP2 and get city information for respective IP?
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-22-2017
03:15 PM
Give this a try
Updated#3
basesearch ip!="" USER!=""
| eval Time=_time
| bucket span=1m _time
| stats list(ip) as IP list(Time) as Time by _time USER
| where mvcount(mvdedup(IP))=2 AND mvcount(IP)=2
| eval IP1=mvindex(IP,0) | iplocation IP1 | rename City as IP1_City
| eval IP2=mvindex(IP,1) | iplocation IP2 | rename City as IP2_City
| eval "TimeDifference(sec)"=abs(tonumber(mvindex(Time,1))-tonumber(mvindex(Time,0)))
| eval IP1_Time=strftime(mvindex(Time,0), "%Y-%m-%d %H:%M:%S")
| eval IP2_Time=strftime(mvindex(Time,1), "%Y-%m-%d %H:%M:%S")
| table USER IP1* IP2* "TimeDifference(sec)"
Get Updates on the Splunk Community!
Announcing Scheduled Export GA for Dashboard Studio
We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
