Splunk Search

find IP resulting from initial search in another sourcetype

leotoa
New Member

i want to see if IP addresses that result from one search (where they are seen to perform a particular action, eg a GET request), and see if that IP address(es) have been seen in another sourcetype. i.e. has any IP that has made a GET request, been seen in sourcetype=A

here's the current search that yeilds the initial results:
sourcetype=* Request=GET Source!=10.* Status!=200
| table _time Source_IP Domain Status
| stats count(_time) as occurence values(Status) as "Status" by Source_IP

so now i want to take those Source_IPs and check if they are present in another sourcetype eg alert_log

Tags (2)
0 Karma

acharlieh
Influencer

There are a number of ways to do this, it kinda depends on what exactly you're looking to retrieve in your results, and how your data is shaped to do it. Now I'm making some assumptions on what fields you have extracted of course in the examples below.

One option is a subsearch something like a basic subsearch.

sourcetype=A [search sourcetype=access_combined method=GET | dedup src_ip | fields + src_ip]

Other options include a join or a map command.

Another possibility could be by using stats:

(sourcetype=access_combined method=GET) OR (sourcetype=A) | stats count(eval(sourcetype="access_combined")) as num_get count(eval(sourcetype="A")) as num_a by src_ip | where num_get > 0

Hopefully this gives you some ideas of things to play with.

0 Karma

leotoa
New Member

thank you very much for the input, i will have a go at these options. it will at least give me more that what i have now haha. much appreciated

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...