Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find ip addresses which have both received and sent a message?

masoud
Explorer
‎08-21-2022 07:57 PM

It is sort of like multiplying the set with itself and getting a subset in mathematical term.

 

my data is sth like this

src_ip    dst_ip time X Y

1.1.1.1   2.2.2.2 1pm .. ...

2.2.2.2   3.3.3.3  3pm .. ...

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-23-2022 12:05 AM

VatsalJagani and PickleRick's answers all should work.  Here's an alternative:

 

| stats values(src_ip) as src_ip values(dst_ip) as dst_ip
| eval src_ip_in_dst_ip = mvmap(src_ip, if(isnull(mvfind(dst_ip, "^" . src_ip . "$")), null(), src_ip))

 

Output using your sample data is

src_ip
dst_ip
src_ip_in_dst_ip
1.1.1.1
2.2.2.2
2.2.2.2
3.3.3.3
2.2.2.2

 

View solution in original post

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-22-2022 12:05 AM

If I understand you correctly, you have in your events a source and destination fields and you want to find values which are present in both of those fields within your time range (which would mean that there was a connection to such an IP as well as from it).

There are probably many different approaches to such problem but I'd simply do

<your search>
| stats values(src_ip) as src_ip values(dst_ip) as dst_ip
| transpose
| rename "row 1" as IP
| mvexpand IP
| stats count by IP
| where count=2
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-21-2022 10:23 PM

@masoud - This would be the simplest mathematical way to do it. (In Splunk though there could be a better way of doing depending on the data.)

| set intersect [<your-search> | dedup src_ip | table src_ip] [<your-search> | dedup dest_ip | table dest_ip]

 

I hope this helps!!! Karma would be appreciated!!!

Reply
Solved! Jump to solution

masoud
Explorer
‎08-21-2022 11:14 PM

Thx mate. I update the question with more information about my data. could you please have a look?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-21-2022 08:40 PM

To get help in search forum, you really want to illustrate your data, or at least let people know which application/log your are referring to and pray that somebody here has worked on that same application/log.

0 Karma
Reply
Solved! Jump to solution

masoud
Explorer
‎08-21-2022 11:14 PM

Thx mate. I update the question with more information about my data. could you please have a look?

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎08-23-2022 12:05 AM

VatsalJagani and PickleRick's answers all should work.  Here's an alternative:

 

| stats values(src_ip) as src_ip values(dst_ip) as dst_ip
| eval src_ip_in_dst_ip = mvmap(src_ip, if(isnull(mvfind(dst_ip, "^" . src_ip . "$")), null(), src_ip))

 

Output using your sample data is

src_ip
dst_ip
src_ip_in_dst_ip
1.1.1.1
2.2.2.2
2.2.2.2
3.3.3.3
2.2.2.2

 

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...