Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Searching for matches in Output across entire range?

interrobang
Explorer
‎02-01-2023 06:20 PM

 

(index="external*" Feedback* "Text")
| transaction channel startswith=POST endswith=received maxspan=1m maxevents=2 
| xmlkv 
| dedup ip1
| table ip1
| appendcols [ search index="internal*" "Missing"
| eval fields=split(_raw,"|") 
| eval ip2=mvindex(fields,7)
| dedup ip2
| table ip2

 


I have two separate searches outputting to a table, the first for ip1 which has a small number of ip addresses (10-20 usually). the second for ip2 has a much larger number of ip addresses (1000+ usually).

Eg. output might look like 

192.168.1.1

192.1681.4
192.168.1.20192.168.4.50
172.20.20.1172.1.2.10
192.168.1.60192.168.4.68
12.140.14.3013.150.34.40
 100.149.50.4
 192.168.1.60
 172.27.27.4
 172.40.40.3
 infinity



I need to cross reference the full list/range of ip2, for any occurences of ip's from ip1, and maybe have these display in a new column.

however this seems to be proving difficult for what i keep trying, and i can only seem to search the output on a row by row comparison basis which is not what i need and will almost never get a result eg. ip1row1 does not match ip2row1, which goes down to ip1rowX & ip2rowX and then multiple empty ip1rows comparing to ip2rowX+ infinity.

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 12:01 AM

it is often said that appendcols is rarely the answer, and so it is in this case!

Try something like this

(index="external*" Feedback* "Text")
| transaction channel startswith=POST endswith=received maxspan=1m maxevents=2 
| xmlkv 
| dedup ip1
| table ip1
| eval part=1
| append [ search index="internal*" "Missing"
| eval fields=split(_raw,"|") 
| eval ip1=mvindex(fields,7)
| dedup ip1
| table ip1 
| eval part=2 ]
| stats sum(part) as part by ip1

Where part = 1, it only exists in the first search; where part = 2, it only exists in the second search; and, where part = 3, it exists in both searches

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2023 12:01 AM

it is often said that appendcols is rarely the answer, and so it is in this case!

Try something like this

(index="external*" Feedback* "Text")
| transaction channel startswith=POST endswith=received maxspan=1m maxevents=2 
| xmlkv 
| dedup ip1
| table ip1
| eval part=1
| append [ search index="internal*" "Missing"
| eval fields=split(_raw,"|") 
| eval ip1=mvindex(fields,7)
| dedup ip1
| table ip1 
| eval part=2 ]
| stats sum(part) as part by ip1

Where part = 1, it only exists in the first search; where part = 2, it only exists in the second search; and, where part = 3, it exists in both searches

Reply
Solved! Jump to solution

interrobang
Explorer
‎02-02-2023 07:25 PM

thanks @ITWhisperer , ignore my other comment must have had a typo or something, cause i adjusted & then unadjusted and reran it to try verifying the results again, and got the more expected output, with thousands of part2 results and a handful of part3 results, and the part3 results matched verification.

thanks mate! much clearer!

0 Karma
Reply
Solved! Jump to solution

interrobang
Explorer
‎02-02-2023 07:18 PM

thank you, logically that makes more sense to me now.

I'm not getting any hits from both ie. part =3, as yet, which could be normal -- just have to wait & see results for when it's happenning or adjust my window to where it has in the past...

however, i'm getting a few dozen results, with most returning from part 1, and maybe half a dozen returning part 2... i would have expected to see several hundred/thousands unique ip's from part 2. not that it matters hugely, but whats the reasoning here? is it down to how the append subsearch is now working, maybe its now limited and cutting itself off at some point?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...