Append Eventtype to Top listing

EricPartington — Wed, 23 Mar 2011 09:30:15 GMT

I have a listing of top denied connections that lists the src_ip, dest_ip, count for the top 10 denied connections that match an eventtype pattern (eventtype=UT*)

Each row in the table relates to a unique eventtype UT1234, UT2345, UT4567 ..etc

How can I have the output table of the top 10 denied connections show the eventtype (that matches a UT* pattern, there could be a few eventtypes that might match - eventtype=firewall-deny, eventtype=tivoli) for each row?

1.1.1.1 2.2.2.2 20 UT1234
1.1.1.2 2.2.2.3 19 UT2345
1.1.1.3 2.2.2.4 18 UT4567

THis feels like it should be some form of appending to the top command but I havent found the appropriate one yet.

Any ideas?

Re: Append Eventtype to Top listing

sideview — Wed, 23 Mar 2011 11:34:50 GMT

Let me restate it and see if I get it? It sounds like you have a search like:

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely:

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so:

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count

topic Append Eventtype to Top listing in Splunk Search

Append Eventtype to Top listing

Re: Append Eventtype to Top listing