I'm trying to find IP addresses that hit a specific url and no other. I tried to use `set diff` but it's not returning results I expect.
If this search gives the IP addresses of everyone who hit url_a, let's say this returns 447 results:
sourcetype=weblogs request="GET /url_a/ HTTP*" | dedup ip | table ip | sort ip
And this request gives the IP addresses of everyone who hit a url underneath there, let's say this returns 314 results:
sourcetype=weblogs | regex request="^GET /url_a/[0-9a-z].* HTTP.*" | dedup ip | table ip | sort ip
I'm trying to find the list of IPs in the first list that are not in the second. `set diff` will also return items in the second search that aren't in the first, which is not what I want.
The other thing I tried was a subsearch like this:
sourcetype=weblogs request="GET /url_a/ HTTP*" NOT [ search sourcetype=weblogs | regex request="^GET /url_a/[0-9a-z].* HTTP.*" | dedup ip | table ip | sort ip] | dedup ip | table ip | sort ip
But this returns entries that are also in the second search, so it cannot be correct. Does anyone know of an effective way to do this?
Thanks!
↧