Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Show if IP is also in another sourcetype

Fischerman
Explorer
‎03-14-2013 03:35 AM

Hyas all

I'm sure this is an easy thing for a Splunk crack, but not for me as I'm a noob (4 days Splunk experience 😉

What I try to do is following :

I got a
sourcetype="CUSTOMER_EXTERNAL_IP" and in there the field "customer_external_ip"
and
sourcetype="BOTNET" and in there the field "customer_host"

Now I wanna see all "customer_host" if the IP is also in the "customer_external_IP"

Any hint in which direction I have to search for the solution ?

Thx in advance !-)

Tags (1)
0 Karma
Reply

Fischerman
Explorer
‎04-04-2013 12:44 AM

UPDATE :
Had some problems with subsearch (Splunk is telling me network is down and other wired stuff), so I was playing arround with Martins solution (coalesce) and this works smoothly and without any problem. I think this one is using a lot less system power and I would propose ; If you got the same challenge to solve, use first the "coalesce" solution.

BTW : Right now I got 66,467 customer_external_ip and about 1200 botnet events,,,botnet events growing from day to day.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 03:52 AM

Depending on your requirements you could join the two searches using the IP as join field, or you could use one as a subsearch of the other producing IPs as filter criteria, or many other ways.

For example, if you just want a list of IPs that appear in both you could do this:

sourcetype="CUSTOMER_EXTERNAL_IP" OR sourcetype="BOTNET" | eval ip = coalesce(customer_external_ip, customer_host) | stats dc(sourcetype) as dc by ip | where dc > 1 | table ip
Reply

Fischerman
Explorer
‎03-14-2013 07:22 AM

Thx Martin for your great answer. Also this works fine and it points me to the right direction for my next solution to solve with Splunk 😉

0 Karma
Reply

BobM
Builder
‎03-14-2013 03:51 AM

Subsearch will give you this. It lets you take the result of a search and use it as a filter. This should work for you.

sourcetype="BOTNET" [search sourcetype="CUSTOMER_EXTERNAL_IP" | fields customer_external_ip | rename customer_external_ip as customer_host]
Reply

BobM
Builder
‎03-14-2013 07:33 AM

Yes that would be easy to do. Have the csv file saved in your app's lookup folder and configure it to use it. There is a good splunk blog on lookups here.

http://blogs.splunk.com/2009/07/27/enriching-data-with-lookups-part-1/

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-14-2013 07:25 AM

You could store known IPs in a CSV file together with a "type" column with values such as "botnet", "company X", "whatever". The lookup adds that field to your splunk results and you can filter by those.

As for tutors, you can consult your local splunk partner for some help 🙂

0 Karma
Reply

Fischerman
Explorer
‎03-14-2013 07:22 AM

Thx a lot for your fast answer. This is / was exactly what I was searching for.

I know it is not nice to ask another question as in the title of this thread, but it is related to the question ;

would the same also be possible if I do not "import" the External IPs and use the CSV file as a lookup table ?
If yes, any hint to a good tutor for lookup tables ?-)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...