Splunk Search

Search for the events with the same IP with two different field names from the two different index

staparia
Explorer

(index = intrusion dest_ip) OR (index = proxy r_ip)
dest_ip should always be equal to r_ip

Tags (1)
0 Karma

woodcock
Esteemed Legend

Like this:

(index = intrusion dest_ip) AND [search index = proxy r_ip | table r_ip | rename dest_ip AS r_ip]

OR:

(index = intrusion dest_ip) OR (index = proxy r_ip)
| eval dest_ip = coalesce(dest_ip, r_ip)
| stats dc(sourcetype) AS sourcetypeCount values(sourcetype) AS sourcetypes BY dest_ip
| where sourcetypeCount==2
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could use join, but that's inefficient.

index=intrusion dest_ip=* | join dest_ip [search index=proxy r_ip=* | rename r_ip as dest_ip]

A better way is to use stats. Replace 'some_field' with a field name from your events. Add more 'some_field' arguments as needed for all the events you wish to see.

(index=intrusion dest_ip=*) OR (index=proxy r_ip=*) | eval ip=coalesce(dest_ip, r_ip) 
| stats values(some_field) as some_field by ip
---
If this reply helps you, Karma would be appreciated.

staparia
Explorer

I would seek results wherein r_ip=dest_ip . Example r_ip=10.10.10.10 and dest_ip=10.10.10.10 . So i would want only those results when these two fields have same values

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share your query. Perhaps there is an error preventing the expected results.

The by clause of the stats command groups events that have the same value in the 'ip' (in this case) field.

If you're not happy with the results of the stats command, try my join example.

---
If this reply helps you, Karma would be appreciated.
0 Karma

staparia
Explorer

(index=intrusion attack_signature=MS-Executable-File destination_port=80 direction=Outbound result_status=Inconclusive) OR (index=proxy x_exception_id!=IT-HotSpot-Denied AND cs_host!="testrating.webfilter.bluecoat.com" cs_host!="help.tower.shanhu99.com" cs_categories="none" url=*.php) | eval ip=coalesce(dest_ip, r_ip) | stats count by ip

It is giving me results of the values of the IP which is present in in both the indexes.. but not looking at the condition where i want dest_ip=r_ip

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried using join?

---
If this reply helps you, Karma would be appreciated.
0 Karma

staparia
Explorer

i did. didnt show the results as expected.

suppose index=proxy AND s_ip="some value"
index=ips AND d_ip="some value"

now i would seek raw logs with all the fields (containing both the indexes) matching the values of s_ip and d_ip

suppose if i enter 10.10.10.10 (be it s_ip or d_ip), it gives me results of all the logs present in the index -->proxy and index--> ips

0 Karma

staparia
Explorer

Hello,
i wanted all the events in such a manner where if dest_ip = 10.10.10.10 and r_ip = 10.10.10.10...

Both the values are same and matching

0 Karma

staparia
Explorer

Hello, the stas query is giving me entire set of results. Whereas i wanted a query where if an IP 10.10.10.10 is involved --> it should return results in such a manner this particular IP (10.10.10.10) is present in both search queries ; that is

Query 1 --> (index=intrusion dest_ip=)
Query 2 --> (index=proxy r_ip=
)

where r_ip and dest_ip = 10.10.10.10

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...