https://community.splunk.com/t5/Splunk-Search/how-to-loop-endlessly/m-p/155237#M185680 <HR /> <P>The requirement is for IDP traffic </P> <P>field1 = source ip addresses (external and internal)<BR /> field2 = destination ip addresses (external and internal)<BR /> field3 = severity<BR /> field4 = attack signature</P> <P>I want to group the row by source ip <BR /> then each row I want to group by destination ip<BR /> then each row of destination, I want to group by severity count<BR /> then from severity row, i want to group by attack signature</P> <P>this is for report, dashboard and alert.</P> <P>Example</P> <HR /> <PRE><CODE> ------------------------------------------------------------------------------------------------ | SRC_IP | DEST IP | SEV HIGH | SEV CRIT | ATTACT COUNT | ATTACK SIGNATURE | And so on...| |------------|-----------|-----------|----------|---------------|------------------|-------------| | 1.2.3.4 | 4.3.2.1 | 5 | | 2 | BLAH1 | | | | | | | 3 | BLAH5 | etc... | | | | | | 1 | BLAH7 | | | | |-----------|----------|---------------|------------------|-------------| | | | | 4 | 2 | BLAH2 | | | | | | | 1 | BLAH5 | etc... | | | | | | 1 | BLAH1 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | 3 | | 1 | BLAH6 | | | | | | | 1 | BLAH8 | etc... | | | | | | 1 | BLAH7 | | | | |-----------|----------|---------------|------------------|-------------| | | | | 6 | 2 | BLAH3 | | | | | | | 2 | BLAH5 | etc... | | | | | | 2 | BLAH1 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | 3 | | 1 | BLAH6 | | | | | | | 1 | BLAH8 | etc... | | | | | | 1 | BLAH7 | | |------------|-----------|-----------|----------|---------------|------------------|-------------| | 5.6.3.2 | 4.3.2.1 | 7 | | 4 | BLAH5 | | | | | | | 2 | BLAH6 | etc... | | | | | | 1 | BLAH7 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | | 3 | 1 | BLAH1 | | | | | | | 1 | BLAH2 | etc... | | | | | | 1 | BLAH3 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | 3 | | 1 | BLAH2 | | | | | | | 1 | BLAH3 | etc... | | | | | | 1 | BLAH4 | | |------------|-----------|-----------|----------|---------------|------------------|-------------| | | | | | | | | | and so on. | etc... | etc.. | etc.. | etc.. | etc.. | etc.. | | | | | | | | | ------------------------------------------------------------------------------------------------ </CODE></PRE> Wed, 10 Dec 2014 13:17:15 GMT denmatias 2014-12-10T13:17:15Z https://community.splunk.com/t5/Splunk-Search/how-to-loop-endlessly/m-p/155235#M185678 <P>Hi,</P> <P>How to loop like this</P> <P>Event fields</P> <P>field1 [value1a, value1b, value1c, value1d,...]<BR /> field2 [value2a, value2b, value2c, value2d....]<BR /> field3 [value3a, value3b, value3c, value3d....]<BR /> and so on..</P> <HR /> <PRE><CODE>--------------------------------- | value1a | value2a | value3a | | | ------------ | | | value3b | | | ----------- | | | value3c | | ----------------------- | | value2b | value3a | | | ------------ | | | value3b | | | ------------ | | | value3c | | |---------------------- | | value2c | value3c | | | ------------ | | | value3b | | | ------------ | | | value3c | ---------------------------------- | value1b | value2a | value3a | | | ------------ | | | value3b | | | ----------- | | | value3c | | ----------------------- | | value2b | value3a | | | ------------ | | | value3b | | | ------------ | | | value3c | | |---------------------- | | value2c | value3c | | | ------------ | | | value3b | | | ------------ | | | value3c | ---------------------------------- </CODE></PRE> Tue, 09 Dec 2014 22:09:32 GMT https://community.splunk.com/t5/Splunk-Search/how-to-loop-endlessly/m-p/155235#M185678 denmatias 2014-12-09T22:09:32Z https://community.splunk.com/t5/Splunk-Search/how-to-loop-endlessly/m-p/155236#M185679 <P>What is the requirement here? Could you provide more details how this loop (in your example) is done.</P> Tue, 09 Dec 2014 23:27:06 GMT https://community.splunk.com/t5/Splunk-Search/how-to-loop-endlessly/m-p/155236#M185679 somesoni2 2014-12-09T23:27:06Z https://community.splunk.com/t5/Splunk-Search/how-to-loop-endlessly/m-p/155237#M185680 <HR /> <P>The requirement is for IDP traffic </P> <P>field1 = source ip addresses (external and internal)<BR /> field2 = destination ip addresses (external and internal)<BR /> field3 = severity<BR /> field4 = attack signature</P> <P>I want to group the row by source ip <BR /> then each row I want to group by destination ip<BR /> then each row of destination, I want to group by severity count<BR /> then from severity row, i want to group by attack signature</P> <P>this is for report, dashboard and alert.</P> <P>Example</P> <HR /> <PRE><CODE> ------------------------------------------------------------------------------------------------ | SRC_IP | DEST IP | SEV HIGH | SEV CRIT | ATTACT COUNT | ATTACK SIGNATURE | And so on...| |------------|-----------|-----------|----------|---------------|------------------|-------------| | 1.2.3.4 | 4.3.2.1 | 5 | | 2 | BLAH1 | | | | | | | 3 | BLAH5 | etc... | | | | | | 1 | BLAH7 | | | | |-----------|----------|---------------|------------------|-------------| | | | | 4 | 2 | BLAH2 | | | | | | | 1 | BLAH5 | etc... | | | | | | 1 | BLAH1 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | 3 | | 1 | BLAH6 | | | | | | | 1 | BLAH8 | etc... | | | | | | 1 | BLAH7 | | | | |-----------|----------|---------------|------------------|-------------| | | | | 6 | 2 | BLAH3 | | | | | | | 2 | BLAH5 | etc... | | | | | | 2 | BLAH1 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | 3 | | 1 | BLAH6 | | | | | | | 1 | BLAH8 | etc... | | | | | | 1 | BLAH7 | | |------------|-----------|-----------|----------|---------------|------------------|-------------| | 5.6.3.2 | 4.3.2.1 | 7 | | 4 | BLAH5 | | | | | | | 2 | BLAH6 | etc... | | | | | | 1 | BLAH7 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | | 3 | 1 | BLAH1 | | | | | | | 1 | BLAH2 | etc... | | | | | | 1 | BLAH3 | | | |-----------|-----------|----------|---------------|------------------|-------------| | | 3.6.2.9 | 3 | | 1 | BLAH2 | | | | | | | 1 | BLAH3 | etc... | | | | | | 1 | BLAH4 | | |------------|-----------|-----------|----------|---------------|------------------|-------------| | | | | | | | | | and so on. | etc... | etc.. | etc.. | etc.. | etc.. | etc.. | | | | | | | | | ------------------------------------------------------------------------------------------------ </CODE></PRE> Wed, 10 Dec 2014 13:17:15 GMT https://community.splunk.com/t5/Splunk-Search/how-to-loop-endlessly/m-p/155237#M185680 denmatias 2014-12-10T13:17:15Z