https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/552022#M156655 <P>Thank you!&nbsp;<span class="lia-unicode-emoji" title=":face_savoring_food:">😋</span>&nbsp;</P> Tue, 18 May 2021 11:08:03 GMT dmbr 2021-05-18T11:08:03Z https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/551936#M156625 <P>Here is a basic tstats search I use to check network traffic.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats summariesonly=t fillnull_value="MISSING" count from datamodel=Network_Traffic.All_Traffic where All_Traffic.src IN ("11.2.2.1","11.2.2.2","11.2.2.3") by All_Traffic.src, All_Traffic.dest, All_Traffic.action, All_Traffic.dest_port, All_Traffic.bytes, sourcetype | sort -count</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I have a lookup file called "ip_ioc.csv" containing a single column of IPv4 addresses which constitute potential bad actors. &nbsp;</P><P>Instead of searching through a list of IP addresses as per above, I want the tstats search to check the lookup file.</P><P>How can I modify the above search?</P><P><EM>Here is a terrible and incorrect attempt at what I am trying to perform:</EM></P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| tstats count from datamodel=Network_Traffic.All_Traffic by All_Traffic.src, All_Traffic.dest, All_Traffic.action, All_Traffic.dest_port, All_Traffic.bytes, sourcetype | lookup ip_ioc.csv ip_ioc | where ip_ioc == All_Traffic.src OR ip_ioc == All_Traffic.dest</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 18 May 2021 00:56:42 GMT https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/551936#M156625 dmbr 2021-05-18T00:56:42Z https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/551937#M156626 <P>Not so terrible, but incorrect <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> One way is to replace the last two lines with</P><LI-CODE lang="markup">| lookup ip_ioc.csv ip_ioc as All_Traffic.src OUTPUT ip_ioc as src_found | lookup ip_ioc.csv ip_ioc as All_Traffic.dest OUTPUT ip_ioc as dest_found | where !isnull(src_found) OR !isnull(dest_found)</LI-CODE><P>looks like you want to check either src or dest, so you could possible use a subsearch in the tstats to pull in your IP addresses to be part of the where IN statement for each of src and dest, but the merits of each would be down to performance - the above is quite simple and easy to read.</P> Tue, 18 May 2021 01:04:52 GMT https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/551937#M156626 bowesmana 2021-05-18T01:04:52Z https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/552022#M156655 <P>Thank you!&nbsp;<span class="lia-unicode-emoji" title=":face_savoring_food:">😋</span>&nbsp;</P> Tue, 18 May 2021 11:08:03 GMT https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/552022#M156655 dmbr 2021-05-18T11:08:03Z https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/564817#M196755 <P>Hello guys.&nbsp;</P><P>Can i hitch on this to further check, how do i include timestamp for each match?</P><P>If i add by _time (in red below),&nbsp; the output is automatically bucket.&nbsp; If i specify span=1s, can i still pipe the result timechart span=1d?&nbsp;</P><P><EM>| tstats count from datamodel=Network_Traffic.All_Traffic by <FONT color="#FF0000"><STRONG>_time span=1s</STRONG></FONT>, All_Traffic.src, All_Traffic.dest, All_Traffic.action, All_Traffic.dest_port, All_Traffic.bytes, sourcetype</EM></P><P>The desired output is for each match to carry _time, src, dst, ports fields, which can be used to generate timechart.</P><P>&nbsp;</P> Thu, 26 Aug 2021 02:53:10 GMT https://community.splunk.com/t5/Splunk-Search/Basic-use-of-tstats-and-a-lookup/m-p/564817#M196755 linwqg 2021-08-26T02:53:10Z