Splunk Search
Highlighted

How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Path Finder

Hi guys,

So I need to figure out how to see if the thing from field ipsource equals the thing from field ipdestination and if it does, add the values of the two fields if the fields equal each other. Basically, I want the statistics to match up the items from each field and show their separate value and the values added together so that when I graph it in the visualization section there will be 3 different values (one for each field and one of the total of the 2 fields) for each ip address.

The 2 fields are: ipsource, ipdestination
They are in the same host and I am using all sources/sourcetypes (no specification)

Please let me know if you can help!

Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Builder

hi try this:

index=... source=you_source sourcetype=you_sourcetype host=same_host| stats c(ip_source) as count_ip_source c(ip_destination) as count_ip_destination|where ip_source=ip_destination | eval total= count_ip_source + count_ip_destination | table ip_source count_ip_source ip_destination count_ip_destination total
0 Karma
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Esteemed Legend

I think this is what you need:

... | chart count(ip_source) count(ip_destination) count(eval(ip_source==ip_destination)) AS count_src_is_dest
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Motivator

Hello! Try somethink like this:

index=... source=... sourcetype=...| stats values(ip_source ) as ip_source values(ip_destination ) as ip_destination|join [search index=... source=... sourcetype=... ip_source =* ip_destination =*|where ip_source =ip_destination |eval sumip=ip_source + ip_destination |table sumip]|table ip_source  ip_destination sumip

or this

 index=... source=... sourcetype=...ip_source =* ip_destination | eval sumip=case(ip_source =ip_destination ,ip_source +ip_destination )|stats values(ip_source ) as ip_source values(ip_destination ) as ip_dest values(sumip) as sumip

Thanks

0 Karma
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Path Finder

It's weird, so far, none have resulted in any output besides woodcock's and his only returned a total for all of the addresses (only one thing returned)

0 Karma
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Esteemed Legend

The problem here is that you have definitely NOT been clear enough about what you desire. I can think of 3 totally different ways to understand what you wrote. It will REALLY help if you clarify with a more detailed example of data and desired results.

0 Karma
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Path Finder

uhh ok.... So for my ipsource there are many different ip addresses that have been repeated and the same goes for ipdestination. I would like to create a search that counts the total of each ip address which a top/rare limit search already does but I would like it to also match up the ipsource if it is identical (the ip address not the amount of times it has been repeated) to the ipdestination. If they are equal, it will count the total of the 2 different fields ( the ipsource and ipdestination) such that the one ip address will have three values: the ipsource count, the ipdestination count, the total count.

For mine, I don't have to specify the source/sourcetype, only the host.

Sorry if I was unclear, I am extremely new to splunk.

0 Karma
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Engager

Sounds like you want to count the number of times ipsource is equal to ipdestination.

0 Karma
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Esteemed Legend

Actually I think you are trying to get this:

...  | eval SameOrDifferent=if(ip_destination==ip_source),"SAME","DIFFERENT") | eval bothIPs = ip_source . "," . ip_destintation | makemv delim="," bothIPs | stats count AS each count(eval(SameOrDifferent=="SAME")) AS both by bothIPs | eval both=both/2
0 Karma
Highlighted

Re: How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Esteemed Legend

Based on your clarification, I think this will do it:

... | where ip_destination=ip_source
| stats count AS both BY ip_source
| rename ip_source AS ip_address
| append [  ... | stats count AS source      BY ip_source      | rename ip_source      AS ip_address ]
| append [  ... | stats count AS destination BY ip_destination | rename ip_destination AS ip_address ]
| stats values(*) AS * by ip_address
| fillnull value=0

View solution in original post