Solved: How to search if a value from FieldA equals a valu... - Page 2

BITSIntern · ‎06-30-2015

Hi guys,

So I need to figure out how to see if the thing from field ip_source equals the thing from field ip_destination and if it does, add the values of the two fields if the fields equal each other. Basically, I want the statistics to match up the items from each field and show their separate value and the values added together so that when I graph it in the visualization section there will be 3 different values (one for each field and one of the total of the 2 fields) for each ip address.

The 2 fields are: ip_source, ip_destination
They are in the same host and I am using all sources/sourcetypes (no specification)

Please let me know if you can help!

woodcock · ‎07-01-2015

Based on your clarification, I think this will do it:

... | where ip_destination=ip_source
| stats count AS both BY ip_source
| rename ip_source AS ip_address
| append [  ... | stats count AS source      BY ip_source      | rename ip_source      AS ip_address ]
| append [  ... | stats count AS destination BY ip_destination | rename ip_destination AS ip_address ]
| stats values(*) AS * by ip_address
| fillnull value=0

View solution in original post

How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!