So I need to figure out how to see if the thing from field ipsource equals the thing from field ipdestination and if it does, add the values of the two fields if the fields equal each other. Basically, I want the statistics to match up the items from each field and show their separate value and the values added together so that when I graph it in the visualization section there will be 3 different values (one for each field and one of the total of the 2 fields) for each ip address.
The 2 fields are: ipsource, ipdestination
They are in the same host and I am using all sources/sourcetypes (no specification)
Please let me know if you can help!
hi try this:
index=... source=you_source sourcetype=you_sourcetype host=same_host| stats c(ip_source) as count_ip_source c(ip_destination) as count_ip_destination|where ip_source=ip_destination | eval total= count_ip_source + count_ip_destination | table ip_source count_ip_source ip_destination count_ip_destination total
I think this is what you need:
... | chart count(ip_source) count(ip_destination) count(eval(ip_source==ip_destination)) AS count_src_is_dest
Hello! Try somethink like this:
index=... source=... sourcetype=...| stats values(ip_source ) as ip_source values(ip_destination ) as ip_destination|join [search index=... source=... sourcetype=... ip_source =* ip_destination =*|where ip_source =ip_destination |eval sumip=ip_source + ip_destination |table sumip]|table ip_source ip_destination sumip
index=... source=... sourcetype=...ip_source =* ip_destination | eval sumip=case(ip_source =ip_destination ,ip_source +ip_destination )|stats values(ip_source ) as ip_source values(ip_destination ) as ip_dest values(sumip) as sumip
It's weird, so far, none have resulted in any output besides woodcock's and his only returned a total for all of the addresses (only one thing returned)
The problem here is that you have definitely NOT been clear enough about what you desire. I can think of 3 totally different ways to understand what you wrote. It will REALLY help if you clarify with a more detailed example of data and desired results.
uhh ok.... So for my ipsource there are many different ip addresses that have been repeated and the same goes for ipdestination. I would like to create a search that counts the total of each ip address which a top/rare limit search already does but I would like it to also match up the ipsource if it is identical (the ip address not the amount of times it has been repeated) to the ipdestination. If they are equal, it will count the total of the 2 different fields ( the ipsource and ipdestination) such that the one ip address will have three values: the ipsource count, the ipdestination count, the total count.
For mine, I don't have to specify the source/sourcetype, only the host.
Sorry if I was unclear, I am extremely new to splunk.
Sounds like you want to count the number of times ipsource is equal to ipdestination.
Actually I think you are trying to get this:
... | eval SameOrDifferent=if(ip_destination==ip_source),"SAME","DIFFERENT") | eval bothIPs = ip_source . "," . ip_destintation | makemv delim="," bothIPs | stats count AS each count(eval(SameOrDifferent=="SAME")) AS both by bothIPs | eval both=both/2
Based on your clarification, I think this will do it:
... | where ip_destination=ip_source | stats count AS both BY ip_source | rename ip_source AS ip_address | append [ ... | stats count AS source BY ip_source | rename ip_source AS ip_address ] | append [ ... | stats count AS destination BY ip_destination | rename ip_destination AS ip_address ] | stats values(*) AS * by ip_address | fillnull value=0