Refine your search:

proper use/function of 'set intersect'

1
1

I have an index where events contain a source IP and a URL destination field. I would like to construct a query that would show commonality in events. I would like to search multiple IPs and have my search return only URLs that have been contacted by all of those IPs. I had constructed my search like so, for only two IPs:

set intersect [search index=INDEX_NAME Internal_IP=IPPADDR1 | fields URL ] [search index=INDEX_NAME Internal_IP=IPADDR2 | fields URL]|fields URL

By my thinking, this would return only the URL fields where there was commonality found between the results of the two subsearches here. It's not working.

I can do a subsearch that does this easily enough when it's only two hosts...but in practice, I will need the results for far more than two hosts. Here's my subsearch-based solution for two hosts, which works well:

[search index=INDEX_NAME Internal_IP=IPADDR1 | fields URL] index=INDEX_NAME Internal_IP=IPADDR2 | fields URL | top URL

Thanks!

asked 17 Aug '10, 19:03

rgonzale6's gravatar image

rgonzale6
877
accept rate: 0%

edited 17 Aug '10, 19:12

2 Answers:
oldestnewestmost voted
2

Using set isn't going to be the most efficient way to solve this problem.

I'd use stats to look at the source IP characteristics for each url like:

index=INDEX_NAME | stats values(Internal_IP) as Internal_IPs dc(Internal_IP) as Internal_IP_count by URL

You can then pipe the results of this to | search Internal_IP_count > <threshold> to see the URLs that were accessed by more than <threshold> IPs as well as the IPs that accessed them.

link

answered 17 Aug '10, 19:10

Stephen%20Sorkin's gravatar image

Stephen Sorkin ♦
8.1k47
accept rate: 52%

thanks! Much appreciated.

(17 Aug '10, 19:51) rgonzale6
1

Just an idea for a different approach:

index=INDEX_NAME (Internal_IP=IPADDR1 OR Internal_IP=IPADDR2) | stats dc(Internal_IP) as ip_count by URL | where ip_count>1

which would reduce the events to those with IPs you're interested in before computing number of distinct ip addresses per url, and then filtering the results to only those that has been accessed by all IPs. It can easily expanded to more IPs: 

index=INDEX_NAME (Internal_IP=IPADDR1 OR Internal_IP=IPADDR2 OR Internal_IP=IPADDR3) | stats dc(Internal_IP) as ip_count by URL | where ip_count>2
link

answered 17 Aug '10, 19:16

ziegfried's gravatar image

ziegfried ♦
7.1k1315
accept rate: 53%

edited 17 Aug '10, 19:23

thanks! Appreciate your response.

(17 Aug '10, 19:52) rgonzale6
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×131

Asked: 17 Aug '10, 19:03

Seen: 401 times

Last updated: 10 Nov '10, 07:22

Related questions

Compare puncts (logs) generated before and after upgrade: set intersect subsearches timing out

Why can't I use subsearch in the case function in the eval command?

How to return subsearch field calculated by stats function?

Why it doesn't work subsearch in eval function at the View of dashboard.

subsearch breaks on different index? subsearch for date_hour greater than

Union / Intersect results from different source type

How to get at two fields from a subsearch that has a subsearch?

How do I write a Custom stat function

Copyright © 2005-2012 Splunk, Inc. All rights reserved.