https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46995#M11221 <P>If you don't yet have the source ip extracted into a field you can do something like this to get you started quickly:</P> <PRE><CODE>... | rex "MAN-TRANS-PIX:(?&lt;src_ip&gt;(\d{1,3}\.){3}\d{1,3})" | ... </CODE></PRE> Tue, 28 May 2013 09:54:56 GMT martin_mueller 2013-05-28T09:54:56Z https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46991#M11217 <P>Hello,<BR /> I want to count the denials from the same source ip. How can I do this?<BR /> The Log looks like this:</P> <P>May 28 07:22:30 aaa.aaa.aaa.aaa %ASA-4-106023: Deny icmp src MAN-TRANS-PIX:bbb.bbb.bbb.bbb dst MAN-PRIV-INFRA-DMZ1:dns1.man.internal (type 8, code 0) by access-group "MAN-TRANS-PIX_access_in" [0xe068225a, 0x0]</P> <P>Thanks for help.</P> Mon, 28 Sep 2020 13:59:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46991#M11217 saschar 2020-09-28T13:59:09Z https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46992#M11218 <P>If you're looking for a specific source ip you can do this:</P> <PRE><CODE>search for that source ip and denial events | stats count </CODE></PRE> <P>If you're looking for a general count by source ip you can do this:</P> <PRE><CODE>search for denial events | stats count by src_ip </CODE></PRE> <P>Alternatively, this:</P> <PRE><CODE>search for denial events | top src_ip </CODE></PRE> <P>Other than that you may need to clarify your goal.</P> Tue, 28 May 2013 07:46:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46992#M11218 martin_mueller 2013-05-28T07:46:34Z https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46993#M11219 <P>I am looking for a general count to get the sources which produces the most noise.<BR /> The count by src_ip producing no results. I think it's because the "MAN-TRANS-PIX:" in front of the IP. How can can I get these IP's out of this?</P> Tue, 28 May 2013 07:58:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46993#M11219 saschar 2013-05-28T07:58:08Z https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46994#M11220 <P>Now I've tried the search on another server with the same asa-logs. On this my search and counting works fine but on the production-server I get no results...</P> Tue, 28 May 2013 08:22:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46994#M11220 saschar 2013-05-28T08:22:34Z https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46995#M11221 <P>If you don't yet have the source ip extracted into a field you can do something like this to get you started quickly:</P> <PRE><CODE>... | rex "MAN-TRANS-PIX:(?&lt;src_ip&gt;(\d{1,3}\.){3}\d{1,3})" | ... </CODE></PRE> Tue, 28 May 2013 09:54:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46995#M11221 martin_mueller 2013-05-28T09:54:56Z https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46996#M11222 <P>Thanks.<BR /> That was the problem.</P> Wed, 29 May 2013 07:52:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46996#M11222 saschar 2013-05-29T07:52:06Z https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46997#M11223 <P>If you do not have that extraction, you are probably missing other usefull information. I suggest you install the free "Technology Add on for Cisco ASA" to all your indexers and search heads.</P> <P><A href="http://splunk-base.splunk.com/apps/58196/technology-add-on-for-cisco-asa">http://splunk-base.splunk.com/apps/58196/technology-add-on-for-cisco-asa</A></P> Wed, 29 May 2013 09:06:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-count-equal-sources/m-p/46997#M11223 BobM 2013-05-29T09:06:11Z