https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70862#M17737 <P>Ahhh... well in that case get rid of <CODE>field=event_desc</CODE> and you should be good.</P> <P>Also, seeing as you're dealing with ASA logs, you might find the "Splunk for Cisco Firewalls" and "Cisco Security Suite" apps worth a look.</P> Tue, 24 Sep 2013 10:08:41 GMT rturk 2013-09-24T10:08:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70859#M17734 <P>I have the following search for my Cisco ASA</P> <P>event_desc="Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name."</P> <P>How can I sort this search on the "to IP_address/port" and get a count of each?</P> <P>Thanks</P> <P>SK</P> Mon, 28 Sep 2020 14:50:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70859#M17734 sean_kirkpatric 2020-09-28T14:50:01Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70860#M17735 <P>Hi Sean, try the following:</P> <PRE><CODE>&lt;base search&gt; | rex field=event_desc "to (?&lt;dst_ip_address&gt;\d+\.\d+\.\d+\.\d+)/(?&lt;dst_port&gt;\d+)" | stats count by dst_ip_address, dst_port </CODE></PRE> <P>If this doesn't work, if you could post an actual event I might be able to fine tune it for you.</P> <P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 24 Sep 2013 01:37:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70860#M17735 rturk 2013-09-24T01:37:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70861#M17736 <P>Thank you for you help. Unfortunately, the results come out empty. Splunk says it finds 1900+ matches though. Here is an actual event.</P> <P>Sep 23 18:14:15 10.10.10.1 Sep 23 2013 18:16:15: %ASA-6-106015: Deny TCP (no connection) from 15.16.17.8/80 to 12.22.12.1/1398 flags FIN PSH ACK on interface outside</P> Tue, 24 Sep 2013 09:54:07 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70861#M17736 sean_kirkpatric 2013-09-24T09:54:07Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70862#M17737 <P>Ahhh... well in that case get rid of <CODE>field=event_desc</CODE> and you should be good.</P> <P>Also, seeing as you're dealing with ASA logs, you might find the "Splunk for Cisco Firewalls" and "Cisco Security Suite" apps worth a look.</P> Tue, 24 Sep 2013 10:08:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70862#M17737 rturk 2013-09-24T10:08:41Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70863#M17738 <P>Thanks. I removed field=event_desc, and I still get the matching events but no results found. </P> <P>I have the Firewall app, but it doesn't give me all the info I need.</P> Tue, 24 Sep 2013 11:22:11 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70863#M17738 sean_kirkpatric 2013-09-24T11:22:11Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70864#M17739 <P>Got it... I was missing a ? before <DST_PORT>. Thanks!</DST_PORT></P> Tue, 24 Sep 2013 11:36:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70864#M17739 sean_kirkpatric 2013-09-24T11:36:31Z https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70865#M17740 <P>Glad I could help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 24 Sep 2013 11:37:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-sort-and-get-a-count-for-specific-data/m-p/70865#M17740 rturk 2013-09-24T11:37:27Z