https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400324#M115994 <P>I've now this search: </P> <P>index=* source="stream:*" source="stream:fortistream" <BR /> |table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)</P> <P>But how do I make sure the values of scr_ip and dest_ip belong together within the same data flow? </P> Tue, 29 Sep 2020 21:42:00 GMT heskez 2020-09-29T21:42:00Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400318#M115988 <P>Hi there, when I run this search: </P> <PRE><CODE>index=* source=stream:Splunk_IP | rex field=src_ip "(?&lt;src1&gt;.*)\.(?&lt;src2&gt;.*)\.(?&lt;src3&gt;.*)\.(?&lt;src4&gt;.*)" | where src1 NOT null | rex field=dest_ip "(?&lt;dest1&gt;.*)\.(?&lt;dest2&gt;.*)\.(?&lt;dest3&gt;.*)\.(?&lt;dest4&gt;.*)" | where dest1 NOT null | eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3) | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype" </CODE></PRE> <P>It produces this result: <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5851i6326B262A27C8ABD/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>As you'll notice the other half of source and destination ipaddresses are missing.</P> <P>Is this: ????</P> <UL> <LI>Because the flow data doesn't arrive properly in SPLUNK</LI> <LI>The stream app needs more configuring</LI> <LI>Search syntax is wrong</LI> </UL> <P>I'd highly appreciate an answer on this. <BR /> Thanks in advance! </P> <P>Erik</P> Wed, 26 Sep 2018 08:47:56 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400318#M115988 heskez 2018-09-26T08:47:56Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400319#M115989 <P>This is happening because you are using round function. can you try to remove it?</P> Wed, 26 Sep 2018 09:31:03 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400319#M115989 p_gurav 2018-09-26T09:31:03Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400320#M115990 <P>Hi!</P> <P>In these commands: <BR /> <CODE>| eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3)</CODE><BR /><BR /> you try to concatenate only two parts of IP (src1 and src2). No wonder, that half of IP is missing. Substitute these evals with: <BR /> <CODE>| eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4</CODE></P> <P>By the way, are you sure you need such conversion? I'm guessing, <CODE>src_ip</CODE> and <CODE>dest_ip</CODE> contains the whole and correct IP addresses, and you can use them instead of <CODE>source_ip</CODE> and <CODE>destination_ip</CODE>.</P> Wed, 26 Sep 2018 10:13:06 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400320#M115990 nryabykh 2018-09-26T10:13:06Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400321#M115991 <P>Thanks, I wonder why they even use the round function on an ipaddress!? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Anyway, if I remove it I mess up the syntax completely..</P> Wed, 26 Sep 2018 10:47:56 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400321#M115991 heskez 2018-09-26T10:47:56Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400322#M115992 <P>Thanks! When I convert the syntax like this: </P> <PRE><CODE>index=* source=stream:Splunk_IP | rex field=src_ip "(?&lt;src1&gt;.*)\.(?&lt;src2&gt;.*)\.(?&lt;src3&gt;.*)\.(?&lt;src4&gt;.*)" | where src1 NOT null | rex field=dest_ip "(?&lt;dest1&gt;.*)\.(?&lt;dest2&gt;.*)\.(?&lt;dest3&gt;.*)\.(?&lt;dest4&gt;.*)" | where dest1 NOT null | | eval source_ip = src1 + "." + src2 +"." + src3 + "." + src4 | eval destination_ip = dest1 + "." + dest2 + "." + dest3 + "." + dest4 | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype" </CODE></PRE> <P>It produces an error message: Error in 'SearchParser': Missing a search command before '|'. Error at position '235' of search query 'search index=* source=stream:Splunk_IP | rex field...{snipped} {errorcontext = OT null | | eval sour}'.</P> <P>You'd say you don't need the source_ip, however it's part of the data model. If I try search on src_ip I don't get any data.. Or.. I'm doing wrong search, what would be the search syntax then?</P> Tue, 29 Sep 2020 21:26:24 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400322#M115992 heskez 2020-09-29T21:26:24Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400323#M115993 <P>Basically this will work for me: </P> <PRE><CODE>index=* source="stream:*" source="stream:fortistream" |table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out) </CODE></PRE> <P>So what do I need this crazy search that comes with the stream app datamodel for then?<BR /> Why did they set it up like this?</P> Wed, 26 Sep 2018 21:53:39 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400323#M115993 heskez 2018-09-26T21:53:39Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400324#M115994 <P>I've now this search: </P> <P>index=* source="stream:*" source="stream:fortistream" <BR /> |table timestamp, src_ip, dest_ip, ,dest_port, sum(bytes_in), sum(bytes_out)</P> <P>But how do I make sure the values of scr_ip and dest_ip belong together within the same data flow? </P> Tue, 29 Sep 2020 21:42:00 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400324#M115994 heskez 2020-09-29T21:42:00Z https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400325#M115995 <P>Anyone?<BR /> WIth advice?</P> Wed, 17 Oct 2018 22:39:20 GMT https://community.splunk.com/t5/Splunk-Search/SPLUNK-Search-derived-from-Stream-app-produces-strange-result/m-p/400325#M115995 heskez 2018-10-17T22:39:20Z