Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search events with matching IP addresses from two different indexes?

vinay_kadagave
Explorer
‎02-29-2016 10:24 PM

Is there any way I can match an IP address from two different Indexes & provide a result?

For Example:
If there is an IDS event with source IP 10.1.1.1 & and there is also a WAF event with same IP,
I want to search such IP address matching events in both the indexes. Can anyone help me write this search?

Reply

somesoni2
Revered Legend
‎03-04-2016 05:52 PM

Just provide one search for each source that you use to get IP from or provide the field names in both source which contains the IP.

0 Karma
Reply

chimell
Motivator
‎03-02-2016 03:33 AM

Hi
This will help

if IP1 belong to index1 and IP2 to index2 , use this 

......................| where like(IP1, IP2)
Reply

ngatchasandra
Builder
‎03-01-2016 02:57 AM

Hi vinay_kadagave,

Try to run queries like follow depend you:

index=Index1 
     | chart count by ip1
     | join ip1 type=outer [ search index=Index2  
         | fields ip2 | rename ip2 as ip1 ]

Or try

  (index="Index1" ip1=*) OR (index="Index2" ip2=*)  
     | eval ip=if(isnull(ip2),ip1,ip2) 
     | fields index ip 
     | chart count(ip) AS count over ip by index 
     | where Index1=Index2
Reply

vinay_kadagave
Explorer
‎03-01-2016 10:11 PM

Thanks for the response. The result shows all the IP's in the first index & not the other. I want display IP matching in both the index.

This may help, i will keep list of IP's in one index & search those IP's in another index for matching events.

0 Karma
Reply

macadminrohit
Contributor
‎11-28-2018 02:47 PM

You need to use join type=inner to get common events.

0 Karma
Reply

ngatchasandra
Builder
‎03-02-2016 10:34 AM

If i understand, try this: 

 (index="Index1" ip1=*) OR (index="Index2" ip2=*)     |where (ip1=ip2) |table ip1 ip2
0 Karma
Reply

jplumsdaine22
Influencer
‎03-01-2016 02:35 AM

Something like this (where clientip is the name of the field containing the ip address)

clientip=10.1.1.1

If you don't specify the index Splunk should search both. If you still don't get a result then your administrator may not have allowed you search both indexes by default, so try something like this:

clientip=10.1.1.1 AND (index=WAF OR index=IDS)

If you're going to use splunk day to day it is definitely worth going through the search tutorial here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchTutorial/WelcometotheSearchTutorial

0 Karma
Reply

vinay_kadagave
Explorer
‎03-01-2016 08:15 PM

Thank you very much for your response. The query doesn't work if i want to search the IP dynamically or you can say correlate.

0 Karma
Reply

jplumsdaine22
Influencer
‎03-02-2016 02:17 AM

So you want a search that shows all the matching IP addresses in the two indexes?

It would help if you provided an event sample from each index, and an example of the query output you are trying to achieve

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...