How to search for specific IP addresses in a proxy...

ivar9692 · ‎10-23-2016

Hi, I'm searching for specific IP's in proxy index and trying to compare the output of that to other index (which gives the additional info about those IP's which match the condition i gave in proxy logs index) but i'm not getting any result.

I need to do above in only 1 search. I'm using subsearch command but unable to get any result. individually both are working fine if i run 1st search then pick those IP's and give it into 2nd index manually. Right now i'm using:

index=ipinfo ip_s="ip" [search index=proxylogs "conditions" |  fields ip]  stats values(ipinfo) values(fileds in index ipinfo).

i think subsearch can be used with same index only, that's why it is not working. Or the fields i'm comparing have different names. do i need to rename fields in subsearch before comparing to main search?

Please help

inventsekar · ‎10-24-2016

was it a typo or did you miss a "|" before the stats command?
your query - index=ipinfo ip_s="ip" [search index=proxylogs "conditions" | fields ip] stats values(ipinfo)

 index=ipinfo ip_s="ip" [search index=proxylogs "conditions" | fields ip] | stats values(ipinfo)...

somesoni2 · ‎10-24-2016

Also, make sure that field name that contains IP ifnormation is same in both proxylogs and ipinfo index. If not that add a rename command in subsearch to make both field name same.

index=ipinfo ip_s="ip" [search index=proxylogs "conditions" | stats count by ip | table ip | rename ip as ipFieldNameInipinfoIndex ] | stats values(ipinfo)...

How to search for specific IP addresses in a proxy index and compare them to another index?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio