- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: List result of two searches and the difference...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
List result of two searches and the difference between the two searches
hi there,
i'm very new to splunk and not much experience yet. the splunk-answers are great and helped me a lot. but in the following situation i have no idea how to solve this problem.
i have two searches, which give me a list of ip-addresses as a result. i want to list the ip-addresses of the two searches, each in a column, and the delta between the two in a third column.
search string #1
src_mac_vendor="nexans deutschland gmbh ans" sourcetype=dhcpd dhcp_message="DHCPACK" src_mac_prefix="00:c0:29" | dedup src_ip
search string #2
sourcetype=syslog host=* | rex ".*\d]\s(?<Switch>S[2-3].*)\s:\s" | dedup Switch
thanks for your help!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
thank you very much für you answers. But its not exactly what im lookin for. Both solutions print out two columns with the result of each search. But my problem is, to build a thrid column, where the result is a diff of the first and second.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
src_mac_vendor="nexans deutschland gmbh ans" sourcetype=dhcpd dhcp_message="DHCPACK" src_mac_prefix="00:c0:29" | dedup src_ip | addcols [ search sourcetype=syslog host=* | rex ".\d]\s(?S[2-3].)\s:\s" | dedup Switch]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I worked with the tutorial data. Here are my two searches 1: sourcetype=access_* status=200 action="addtocart"| top clientip | table clientip | rename clientip AS ip1, 2: search sourcetype=access_* status=200 action=purchase | top clientip | rename clientip AS ip2
I can then join both searches as one, just like this
sourcetype=access_* status=200 action="addtocart"| top clientip | table clientip | rename clientip AS ip1| table ip1 | join [search sourcetype=access_* status=200 action=purchase | top clientip | rename clientip AS ip2| table ip2]
with this, you can display both ip1 and ip2
to subtract ip1 and ip2, you can just add eval delta=ip1-ip2
But you should know that we can’t subtract ip address that way. If you work with integers or real, it will be ok but not with ip address
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
