Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

compare 2 field different source type

pgabriel10
Loves-to-Learn Lots
‎09-10-2021 02:55 PM

Hello guys,

I have the VPN log and network log.

- In VPN log's it's possible to show IP and USERNAME 
- In Network log it's possible to show what's site the IP access. 

I need to comparare 2 fields ( IP VPN  [src_ip] , IP Network [SRC])  if the field is the same i will add the user.

I Tried this:

 

 

 

index=security host=homolog (sourcetype=vpn_log OR sourcetype=network_log)
| where src_ip=SRC
| eval username_acess=user
| table username_acess,SRC,dst

 

 

 

But doesnt work.

Another way is:

 

 

 

| eval field1=SRC,field2=src_ip 
| eval results1=if(field1=field2,"Yes","No") 
| eval results2=if(match(field1,field2),"Yes","No")
| where match(field1,field2)

 

 

 

I think the error is because the sourcetype is different.

Could you help me ? 

 

 

 

 

Labels (2)
Labels
0 Karma
Reply

pgabriel10
Loves-to-Learn Lots
‎09-10-2021 08:10 PM

I tried but doesnt work. The dst field is blank. Just show the username and SRC. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-11-2021 01:25 AM

The dst field came from your example - if it is not filled, you should look at your extractions

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-10-2021 03:54 PM

It doesn't work because splunk works on a pipeline of events - your events come from different source types so the fields extracted in one sourcetype may not exist in the other source type. You can rename one of the fields so it has the same name as the other sourcetype and then either join or use stats to collate the information from the different sourcetypes.

index=security host=homolog (sourcetype=vpn_log OR sourcetype=network_log)
| rename src_ip as SRC
| stats values(user) as username_access values(dst) as dst by SRC
| table username_acess,SRC,dst
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...