Hi mates,
I'm figuring out how can I show a table with match IP addresses from 2 different vendor firewalls.
So far, I've tried with the "join" statement in order to do a 2nd search and then, an if statement in order to compare. Here is my search
index=index-company sourcetype=firewall1 NOT srcIP=172.20.* | stats count by srcIP | sort 10 -count | rename srcIP as "srcfw1" | join [search index=index-company sourcetype=firewall2 NOT srcIP2=172.20.* | stats count by srcIP2 | sort 10 -count ] | eval DiffIP=if(srcfw1==srcIP2, srcIP2 ,srcfw1) | table srcfw1 DiffIP
Unfortunately, I do not get results :(
Any help would be appreciated.
↧