Solved: Re: How to search if a value from FieldA equals a ...

BITSIntern · ‎06-30-2015

Hi guys,

So I need to figure out how to see if the thing from field ip_source equals the thing from field ip_destination and if it does, add the values of the two fields if the fields equal each other. Basically, I want the statistics to match up the items from each field and show their separate value and the values added together so that when I graph it in the visualization section there will be 3 different values (one for each field and one of the total of the 2 fields) for each ip address.

The 2 fields are: ip_source, ip_destination
They are in the same host and I am using all sources/sourcetypes (no specification)

Please let me know if you can help!

woodcock · ‎07-01-2015

Based on your clarification, I think this will do it:

... | where ip_destination=ip_source
| stats count AS both BY ip_source
| rename ip_source AS ip_address
| append [  ... | stats count AS source      BY ip_source      | rename ip_source      AS ip_address ]
| append [  ... | stats count AS destination BY ip_destination | rename ip_destination AS ip_address ]
| stats values(*) AS * by ip_address
| fillnull value=0

View solution in original post

algalvan · ‎10-01-2019

Is there a way to search where two fields equal each other before the first pipe?

woodcock · ‎07-01-2015

Based on your clarification, I think this will do it:

... | where ip_destination=ip_source
| stats count AS both BY ip_source
| rename ip_source AS ip_address
| append [  ... | stats count AS source      BY ip_source      | rename ip_source      AS ip_address ]
| append [  ... | stats count AS destination BY ip_destination | rename ip_destination AS ip_address ]
| stats values(*) AS * by ip_address
| fillnull value=0

BITSIntern · ‎07-01-2015

Thank you this really helped!!

woodcock · ‎07-01-2015

When you ask questions better, you get better answers!

woodcock · ‎06-30-2015

Actually I think you are trying to get this:

...  | eval SameOrDifferent=if(ip_destination==ip_source),"SAME","DIFFERENT") | eval bothIPs = ip_source . "," . ip_destintation | makemv delim="," bothIPs | stats count AS each count(eval(SameOrDifferent=="SAME")) AS both by bothIPs | eval both=both/2

BITSIntern · ‎06-30-2015

It's weird, so far, none have resulted in any output besides woodcock's and his only returned a total for all of the addresses (only one thing returned)

lancerkind · ‎12-03-2018

Sounds like you want to count the number of times ip_source is equal to ip_destination.

woodcock · ‎06-30-2015

The problem here is that you have definitely NOT been clear enough about what you desire. I can think of 3 totally different ways to understand what you wrote. It will REALLY help if you clarify with a more detailed example of data and desired results.

BITSIntern · ‎06-30-2015

uhh ok.... So for my ip_source there are many different ip addresses that have been repeated and the same goes for ip_destination. I would like to create a search that counts the total of each ip address which a top/rare limit search already does but I would like it to also match up the ip_source if it is identical (the ip address not the amount of times it has been repeated) to the ip_destination. If they are equal, it will count the total of the 2 different fields ( the ip_source and ip_destination) such that the one ip address will have three values: the ip_source count, the ip_destination count, the total count.

For mine, I don't have to specify the source/sourcetype, only the host.

Sorry if I was unclear, I am extremely new to splunk.

stephanefotso · ‎06-30-2015

Hello! Try somethink like this:

index=... source=... sourcetype=...| stats values(ip_source ) as ip_source values(ip_destination ) as ip_destination|join [search index=... source=... sourcetype=... ip_source =* ip_destination =*|where ip_source =ip_destination |eval sumip=ip_source + ip_destination |table sumip]|table ip_source  ip_destination sumip

or this

 index=... source=... sourcetype=...ip_source =* ip_destination | eval sumip=case(ip_source =ip_destination ,ip_source +ip_destination )|stats values(ip_source ) as ip_source values(ip_destination ) as ip_dest values(sumip) as sumip

Thanks

SGF

woodcock · ‎06-30-2015

I think this is what you need:

... | chart count(ip_source) count(ip_destination) count(eval(ip_source==ip_destination)) AS count_src_is_dest

NOUMSSI · ‎06-30-2015

hi try this:

index=... source=you_source sourcetype=you_sourcetype host=same_host| stats c(ip_source) as count_ip_source c(ip_destination) as count_ip_destination|where ip_source=ip_destination | eval total= count_ip_source + count_ip_destination | table ip_source count_ip_source ip_destination count_ip_destination total

How to search if a value from FieldA equals a value from FieldB, add the two values if true, and display both values with their sum?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...