Splunk Search
Highlighted

How to find the events contain different fields while they have the same value in another field?

New Member

I got the following log events:

=====

User:A IP_address:10.0.0.1

User:B IP_address:10.0.0.2

User:C IP_address:10.0.0.3

User:A IP_address:20.1.1.1

User:C IP_address:10.0.0.3

=====

As shown above, event 1 and event 4 both have the value "A" in User field, but they got different values in "IPaddress" field. What search command should I use to filter the logs and find out event pairs like event 1 and event 4 above (have the same value in User field but different values in IPaddress field)? Thanks!

Tags (1)
0 Karma
Highlighted

Re: How to find the events contain different fields while they have the same value in another field?

Splunk Employee
Splunk Employee

sourcetype=yoursourcetype | stats values(IPaddress) as ips by User | where mvcount(ips)>1

...should do the trick.

Highlighted

Re: How to find the events contain different fields while they have the same value in another field?

New Member

Thanks a lot, it works!

0 Karma