Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

compare 2 field different source type

pgabriel10
Loves-to-Learn Lots
‎09-10-2021 02:55 PM

Hello guys,

I have the VPN log and network log.

- In VPN log's it's possible to show IP and USERNAME 
- In Network log it's possible to show what's site the IP access. 

I need to comparare 2 fields ( IP VPN  [src_ip] , IP Network [SRC])  if the field is the same i will add the user.

I Tried this:

 

 

 

index=security host=homolog (sourcetype=vpn_log OR sourcetype=network_log)
| where src_ip=SRC
| eval username_acess=user
| table username_acess,SRC,dst

 

 

 

But doesnt work.

Another way is:

 

 

 

| eval field1=SRC,field2=src_ip 
| eval results1=if(field1=field2,"Yes","No") 
| eval results2=if(match(field1,field2),"Yes","No")
| where match(field1,field2)

 

 

 

I think the error is because the sourcetype is different.

Could you help me ? 

 

 

 

 

Labels (2)
Labels
0 Karma
Reply

pgabriel10
Loves-to-Learn Lots
‎09-10-2021 08:10 PM

I tried but doesnt work. The dst field is blank. Just show the username and SRC. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2021 01:25 AM

The dst field came from your example - if it is not filled, you should look at your extractions

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 03:54 PM

It doesn't work because splunk works on a pipeline of events - your events come from different source types so the fields extracted in one sourcetype may not exist in the other source type. You can rename one of the fields so it has the same name as the other sourcetype and then either join or use stats to collate the information from the different sourcetypes.

index=security host=homolog (sourcetype=vpn_log OR sourcetype=network_log)
| rename src_ip as SRC
| stats values(user) as username_access values(dst) as dst by SRC
| table username_acess,SRC,dst
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...