hi there,
i'm very new to splunk and not much experience yet. the splunk-answers are great and helped me a lot. but in the following situation i have no idea how to solve this problem.
i have two searches, which give me a list of ip-addresses as a result. i want to list the ip-addresses of the two searches, each in a column, and the delta between the two in a third column.
search string #1
src_mac_vendor="nexans deutschland gmbh ans" sourcetype=dhcpd dhcp_message="DHCPACK" src_mac_prefix="00:c0:29" | dedup src_ip
search string #2
sourcetype=syslog host=* | rex ".*\d]\s(?<Switch>S[2-3].*)\s:\s" | dedup Switch
thanks for your help!!!
Hi guys,
thank you very much für you answers. But its not exactly what im lookin for. Both solutions print out two columns with the result of each search. But my problem is, to build a thrid column, where the result is a diff of the first and second.
Try this
src_mac_vendor="nexans deutschland gmbh ans" sourcetype=dhcpd dhcp_message="DHCPACK" src_mac_prefix="00:c0:29" | dedup src_ip | addcols [ search sourcetype=syslog host=* | rex ".\d]\s(?S[2-3].)\s:\s" | dedup Switch]
I worked with the tutorial data. Here are my two searches 1: sourcetype=access_* status=200 action="addtocart"| top clientip | table clientip | rename clientip AS ip1, 2: search sourcetype=access_* status=200 action=purchase | top clientip | rename clientip AS ip2
I can then join both searches as one, just like this
sourcetype=access_* status=200 action="addtocart"| top clientip | table clientip | rename clientip AS ip1| table ip1 | join [search sourcetype=access_* status=200 action=purchase | top clientip | rename clientip AS ip2| table ip2]
with this, you can display both ip1 and ip2
to subtract ip1 and ip2, you can just add eval delta=ip1-ip2
But you should know that we can’t subtract ip address that way. If you work with integers or real, it will be ok but not with ip address