Splunk Search

How to search for same field with different ip address?

niks987
Explorer

Happy New Year to all of you.

So I have syslog in which we have details of the devices and switches. 

The requirement is to find the old and new ip address for the NetworkName which were recently added to a group. 

To get this i have to follow below steps.

1. get the NetworkName which has been recently added to group.

2. than get the latest CallingStation for the NetworkName .

# search for step 1 & 2
index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName =USAZSLKRR01FIF0001
|stats latest(CallingStation ) as CallingStation by NetworkName

3. search in the index with the CallingStation  to get IPAddress(it has to ran for last 24 hours)

index=na3rc Calling_Station_ID=B0-22-7A-32-32-26
| bin span=1d _time
| stats latest(IPAddress) as IPAddress by _time CallingStation
| eval IP=if(_time<relative_time(now(),"@d"),"Old","New")

The problem here is that IPAddress field has both old and new IPAddress.

I tried join but it is showing no results as it is being maxout and when i try to use it in same search it is only showing new IPAddress.

Thank in Advance 🙂

 

 

 

index=xyz NetworkGroups="Device Type#All Device Types#DNAC#SingleIONBranch" (Diag_Message="Authentication succeeded") NetworkName=USAZSLKRR01FIF0001
| stats latest(CallingStation) as CallingStation  by NetworkName
| join CallingStation type=left [| search index=xyz
| bin span=1d _time 
| stats latest(IPAddress) as IPAddress by  _time CallingStation 
| eval IP=if(_time<relative_time(now(),"@d"),"Old","New")]

 

 

 



Labels (1)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...