Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Matching an IP address across two sourcetypes

santorof
Path Finder
‎11-04-2015 06:39 AM

I am trying to get matching IP address's from my asset list and another device. My source1 does not have a username associated with the IP but my asset list does. I want to match the IP addresses and pull out the username in my asset list. In source1 I have a field called src_ip and in my asset list the field is IP_Address. I want to match the addresses, output one in a table or stats, along with the username pulled from an event matching the ip address from source1. Below is my attempts at trying to do this with no success.

sourcetype=Source1 | eval ip=src_ip | where ip=ip2 | table ip,dest | join ip type=inner [search sourcetype=Source_Assets earliest=-1h | eval ip2=IP_Address | table Username,ip]

sourcetype=Source1 | chart count by src_ip,dest_ip | append [search index=assets sourcetype=Source_Assets | fields Username,IP_Address | chart count by Username]

I get results for the second one but no output.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-04-2015 11:27 PM

I think you need to put your asset list into a lookup table instead of indexing it. Using a lookup will make this simple and flexible.
Here is a link to the lookup tutorial in the Splunk documentation.

If you don't want to use lookups, here is an alternative:

sourcetype=Source1 
| chart count by src_ip,dest_ip 
| join src_ip type=outer [ search index=assets sourcetype=Source_Assets 
    | fields Username,IP_Address | rename IP_Address as src_ip ]

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎11-04-2015 11:27 PM

I think you need to put your asset list into a lookup table instead of indexing it. Using a lookup will make this simple and flexible.
Here is a link to the lookup tutorial in the Splunk documentation.

If you don't want to use lookups, here is an alternative:

sourcetype=Source1 
| chart count by src_ip,dest_ip 
| join src_ip type=outer [ search index=assets sourcetype=Source_Assets 
    | fields Username,IP_Address | rename IP_Address as src_ip ]
Reply
Solved! Jump to solution

santorof
Path Finder
‎11-23-2015 09:42 AM

I am always trying to make more difficult then they seem haha. I took your advice and did an asset list and Splunk did all the world and correlated the correct information for me per event. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...