https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380344#M111329 <P>One option could be this</P> <PRE><CODE>index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" [search index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port | sort 200 -count | table dest_port ]| stats count by dest_port src_ip dest_ip </CODE></PRE> <P>The subsearch limits the final search result to only include those top 200 dest_ports returned by subsearch.</P> Thu, 20 Sep 2018 18:26:07 GMT somesoni2 2018-09-20T18:26:07Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380343#M111328 <P>Hello, everyone,</P> <P>I need some help regarding the analysis of a firewall rule that I am trying to analyze via Splunk. What I am trying to do is to filter out a sorted output of the source and destination IP along with the top 200 ports that are used most out of the output.</P> <P>Now, when I sort the count then, I lose the capacity of getting the source IP and Destination IP details. THE TABLE SHOULD BE CONSIDERING THE COMPLETE OUTPUT OF TOP 200 PORTS ALONG WITH THE SOURCE IP AND DESTINATION IPS THAT ARE INVOLVED IN THE COMMUNICATION for example </P> <P>EXAMPLE </P> <PRE><CODE>index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port | sort -count </CODE></PRE> Thu, 20 Sep 2018 18:17:58 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380343#M111328 vaibhavmehta 2018-09-20T18:17:58Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380344#M111329 <P>One option could be this</P> <PRE><CODE>index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" [search index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port | sort 200 -count | table dest_port ]| stats count by dest_port src_ip dest_ip </CODE></PRE> <P>The subsearch limits the final search result to only include those top 200 dest_ports returned by subsearch.</P> Thu, 20 Sep 2018 18:26:07 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380344#M111329 somesoni2 2018-09-20T18:26:07Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380345#M111330 <P>@vaibhavmehta</P> <P>Can you please try following search whether it is giving you desired output?</P> <PRE><CODE>index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats values(src) as src values(dest) as dest count by dest_port | sort 200 -count | </CODE></PRE> <P>OR</P> <PRE><CODE>index=firewall dvc="Devicename*" message_tag="RT_FLOW_SESSION_CREATE" rule="RULENAME" | stats count by dest_port, dest, src | sort 200 -count </CODE></PRE> <P>Just try both and let me know which is as per your requirement or near to it.<BR /> Thanks</P> Thu, 20 Sep 2018 18:26:11 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380345#M111330 kamlesh_vaghela 2018-09-20T18:26:11Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380346#M111331 <P>I already tried the 2nd string but that gives an individual count, but the first string works like a charm <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Validating it for a longer duration now, thanks for the quick response </P> Thu, 20 Sep 2018 21:43:28 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-with-a-Splunk-query-for-filtering-a-destination/m-p/380346#M111331 vaibhavmehta 2018-09-20T21:43:28Z