Splunk Search

How to search events with matching IP addresses from two different indexes?

vinay_kadagave
Explorer

Is there any way I can match an IP address from two different Indexes & provide a result?

For Example:
If there is an IDS event with source IP 10.1.1.1 & and there is also a WAF event with same IP,
I want to search such IP address matching events in both the indexes. Can anyone help me write this search?

somesoni2
SplunkTrust
SplunkTrust

Just provide one search for each source that you use to get IP from or provide the field names in both source which contains the IP.

0 Karma

chimell
Motivator

Hi
This will help

if IP1 belong to index1 and IP2 to index2 , use this

......................| where like(IP1, IP2)

ngatchasandra
Builder

Hi vinay_kadagave,

Try to run queries like follow depend you:

index=Index1 
     | chart count by ip1
     | join ip1 type=outer [ search index=Index2  
         | fields ip2 | rename ip2 as ip1 ]

Or try

  (index="Index1" ip1=*) OR (index="Index2" ip2=*)  
     | eval ip=if(isnull(ip2),ip1,ip2) 
     | fields index ip 
     | chart count(ip) AS count over ip by index 
     | where Index1=Index2

vinay_kadagave
Explorer

Thanks for the response. The result shows all the IP's in the first index & not the other. I want display IP matching in both the index.

This may help, i will keep list of IP's in one index & search those IP's in another index for matching events.

0 Karma

macadminrohit
Contributor

You need to use join type=inner to get common events.

0 Karma

ngatchasandra
Builder

If i understand, try this:

 (index="Index1" ip1=*) OR (index="Index2" ip2=*)     |where (ip1=ip2) |table ip1 ip2
0 Karma

jplumsdaine22
Influencer

Something like this (where clientip is the name of the field containing the ip address)

clientip=10.1.1.1

If you don't specify the index Splunk should search both. If you still don't get a result then your administrator may not have allowed you search both indexes by default, so try something like this:

clientip=10.1.1.1 AND (index=WAF OR index=IDS)

If you're going to use splunk day to day it is definitely worth going through the search tutorial here:
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchTutorial/WelcometotheSearchTutorial

0 Karma

vinay_kadagave
Explorer

Thank you very much for your response. The query doesn't work if i want to search the IP dynamically or you can say correlate.

0 Karma

jplumsdaine22
Influencer

So you want a search that shows all the matching IP addresses in the two indexes?

It would help if you provided an event sample from each index, and an example of the query output you are trying to achieve

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...