Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search for specific IP addresses in a proxy index and compare them to another index?

ivar9692
Explorer
‎10-23-2016 09:13 PM

Hi, I'm searching for specific IP's in proxy index and trying to compare the output of that to other index (which gives the additional info about those IP's which match the condition i gave in proxy logs index) but i'm not getting any result.

I need to do above in only 1 search. I'm using subsearch command but unable to get any result. individually both are working fine if i run 1st search then pick those IP's and give it into 2nd index manually. Right now i'm using:

index=ipinfo ip_s="ip" [search index=proxylogs "conditions" |  fields ip]  stats values(ipinfo) values(fileds in index ipinfo).

i think subsearch can be used with same index only, that's why it is not working. Or the fields i'm comparing have different names. do i need to rename fields in subsearch before comparing to main search?

Please help

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-24-2016 05:01 AM

was it a typo or did you miss a "|" before the stats command?
your query - index=ipinfo ip_s="ip" [search index=proxylogs "conditions" | fields ip] stats values(ipinfo)

 index=ipinfo ip_s="ip" [search index=proxylogs "conditions" | fields ip] | stats values(ipinfo)...
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Reply

somesoni2
Revered Legend
‎10-24-2016 08:09 PM

Also, make sure that field name that contains IP ifnormation is same in both proxylogs and ipinfo index. If not that add a rename command in subsearch to make both field name same.

index=ipinfo ip_s="ip" [search index=proxylogs "conditions" | stats count by ip | table ip | rename ip as ipFieldNameInipinfoIndex ] | stats values(ipinfo)...
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...