Splunk Search

Show only matching IP's from two different fields

sbattista09
Contributor

base search would be: index=index1 host=scan1 OR host=scan2

In the scans there are fields that are named differently but have Ip address in them, I would like Splunk to take the two fields and show me only the IP's that appear in both of them and get a total count. The names of the fields are IPAddressText and IPHost. I hope there is a simple eval statement someone could help me with.

thanks!

0 Karma
1 Solution

sbattista09
Contributor

not sure if the will make sense but, i built it out a little differently and it works, i named the fileds in the CSV's the same that i need to compare counts-

[|inputlookup ipsav.csv] index=summaryindex host=host1 | timechart count | Rename count As "total count of host1" | appendcols[search [|inputlookup ipsav.csv] index=summaryindex host=host1 OR host=host2 |stats count by "FIELD NAMED THE SAME IN BOTH HOSTS"| Where count = 1 | stats count | Rename count as " show count if the count is only one"]

thanks for the help guys.

View solution in original post

0 Karma

sbattista09
Contributor

not sure if the will make sense but, i built it out a little differently and it works, i named the fileds in the CSV's the same that i need to compare counts-

[|inputlookup ipsav.csv] index=summaryindex host=host1 | timechart count | Rename count As "total count of host1" | appendcols[search [|inputlookup ipsav.csv] index=summaryindex host=host1 OR host=host2 |stats count by "FIELD NAMED THE SAME IN BOTH HOSTS"| Where count = 1 | stats count | Rename count as " show count if the count is only one"]

thanks for the help guys.

0 Karma

sbattista09
Contributor

sorry, it did not work. its seems to be having trouble searching between the two fields. I say this because I ran just the index=index1 host=scan1 OR host=scan2 PAddressText=* IPHost=* part and nothing came up until i put a OR between the PAddressText=* IPHost=*.

0 Karma

_d_
Splunk Employee
Splunk Employee

See if this works for you:

index=index1 host=scan1 OR host=scan2 PAddressText=* IPHost=* | where IPAddressText=IPHost
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...