Refine your search:

search where a field is IN another search

0

Hi all i need to do a search like this:

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" | rename Source_Network_Address as IP | rename IP_Source as IP

where the IP is in a field of another search. How can i do this?
Thanks

asked 18 Oct '10, 13:45

pinzer's gravatar image

pinzer
654121
accept rate: 0%

2 Answers:
oldestnewestmost voted
0

Take a look at the format command:
    http://www.splunk.com/base/Documentation/4.1.5/SearchReference/format

link

answered 18 Oct '10, 13:56

southeringtonp's gravatar image

southeringtonp ♦
4.9k2524
accept rate: 35%

0

If the IP could possibly be in several locations, and you want to normalize them into a field, I like the coalesce command in eval.

sourcetype="webseal_access" OR sourcetype="wmi:wineventlog:security" | eval IP = coalesce(Source_Network_Address,IP_Source)

This says "make a new field called IP, and use the value from the first non-empty field."

http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions

link

answered 13 Dec '10, 16:20

vbumgarn's gravatar image

vbumgarn
6511317
accept rate: 9%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,646
×229

Asked: 18 Oct '10, 13:45

Seen: 552 times

Last updated: 05 Apr '11, 06:22

Related questions

Splunk search to remove entries where one value exists in another value

saving result of a search query to a variable in order to use in another search

Create multivalued field in the search based on another field

Retrieving results where field matches a list of fields in another search

Return results when value of one field is not equal to value of another field

Show 2 Fields in Table where 1 is a subset of the other

Help with searching across 3 files where one file contains not obviously linkable transactions

Searching where a difference in fields is greater than 1.

Copyright © 2005-2012 Splunk Inc. All rights reserved.