Splunk Search

Compare 2 indexes and 2 fields of IP addresses with different field name (result wanted: Are there similar/like IP's?)

strangelaw
Explorer

So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under ipaddr field and on index B the ip-addresses are under host_ip field.

What I want to do is to a) compare b) evaluate those fields (content) together.

I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.

index=a-index OR index=b-index | search ipaddr, host_ip | eval results = if(match(ipaddr,host_ip)), "hit", "miss") - does not work.

Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.

Ideas?

0 Karma
1 Solution

dcarmack_splunk
Splunk Employee
Splunk Employee

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index.

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index

View solution in original post

dcarmack_splunk
Splunk Employee
Splunk Employee

Give this a try. In the main search below, make sure the IP fields are grouped with the proper index.

(index="a-index" host_ip=*) OR (index="b-index" ipaddr=*)  
| eval ip=if(isnull(ipaddr),host_ip,ipaddr) 
| fields index ip 
| chart count(ip) AS count over ip by index 
| where a-index=b-index

strangelaw
Explorer

Thanks a bunch! Simple, yet powerful.

0 Karma

javiergn
SplunkTrust
SplunkTrust

Keep in mind you have two different event flows: a-index and b-index, and therefore your match is not going to work. Match will compare fields within the same event and your event either belongs to a-index or b-index. You need to group your events first.

If you just want to find common IPs try the following instead (not tested):

index=a-index OR index=b-index
| fields index, ipaddr, host_ip
| dedup index, ipaddr, host_ip
| rename ipaddr as host_ip 
| stats count by host_ip, index
| where count > 1
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...