https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452860#M128215 <P>Kindly provide a better way to write the query in the below example.</P> <P>Also, one more thing I need help with is the hit count on destination port. </P> <PRE><CODE>index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="*" src_port="*" dest_zone=DMZ dest_ip="*" dest_port="*" | iplocation src_ip | table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport | eval protocol=transport+"/"+dest_port | fields - dest_port, transport </CODE></PRE> <P>Thanks,</P> Tue, 05 Feb 2019 01:08:29 GMT sherrysafdar 2019-02-05T01:08:29Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452860#M128215 <P>Kindly provide a better way to write the query in the below example.</P> <P>Also, one more thing I need help with is the hit count on destination port. </P> <PRE><CODE>index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="*" src_port="*" dest_zone=DMZ dest_ip="*" dest_port="*" | iplocation src_ip | table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport | eval protocol=transport+"/"+dest_port | fields - dest_port, transport </CODE></PRE> <P>Thanks,</P> Tue, 05 Feb 2019 01:08:29 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452860#M128215 sherrysafdar 2019-02-05T01:08:29Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452861#M128216 <P>@sherrysafdar,</P> <P>Your search seems to be right except the <CODE>table</CODE> which could be replaced by fields. However, it depends on whats the final result you want to achieve - probably a statistics with the data available.</P> <P>To get a count of destination port in each event, you may add <CODE>eventstats by dest_port</CODE> to the search . </P> <PRE><CODE>index="cisco_asa_index" sourcetype="cisco:asa" src_zone=TP-OUTSIDE src_ip="" src_port="" dest_zone=DMZ dest_ip="" dest_port="" | iplocation src_ip | table src_zone,src_ip,Country,City,src_port,dest_zone,dest_ip,acl,dest_port,transport | eval protocol=transport+"/"+dest_port | eventstats count by dest_port | fields - transport </CODE></PRE> <P>Happy to assist further.</P> Tue, 05 Feb 2019 04:50:38 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452861#M128216 renjith_nair 2019-02-05T04:50:38Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452862#M128217 <P>you are searching for dest_port with blank value, and then doing event stats on it? will it give any result?</P> Tue, 05 Feb 2019 05:29:04 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452862#M128217 jvishwak 2019-02-05T05:29:04Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452863#M128218 <P>One suggestion, you can have table command in last, and fields command as early as in query.</P> Tue, 05 Feb 2019 05:31:35 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452863#M128218 jvishwak 2019-02-05T05:31:35Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452864#M128219 <P>Awesome, it worked like a charm, thanks!</P> Tue, 05 Feb 2019 17:15:47 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452864#M128219 sherrysafdar 2019-02-05T17:15:47Z https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452865#M128220 <P>@jvishwak, Just FYI - its not empty in real search but it has been sanitized to remove potential confidential elements.</P> Wed, 06 Feb 2019 03:56:16 GMT https://community.splunk.com/t5/Splunk-Search/Can-you-help-me-figure-out-the-best-way-to-write-the-following/m-p/452865#M128220 renjith_nair 2019-02-06T03:56:16Z