https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98793#M25465 <P>nah, this doesnt work the way i need. this only gives table of the top 10 src for the top 5 error codes. i need the table to show top 10 src per each of the top 5 error codes. so the output table will have 50 IP's, 10 per error_code, etc.</P> <P>and to add more complexity, would like a "count(src) by error_code" next to each of the IP's (this will indicate how many times this IP caused the event with this error code).</P> Thu, 22 Mar 2012 13:59:45 GMT cvajs 2012-03-22T13:59:45Z https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98791#M25463 <P>v4.3.1 linux<BR /> how do you create a search that mimics iteration like in bash<BR /> for i in <CODE>ls /root</CODE> ;do ls -al $i &gt; out.txt ;done</P> <P>as example:<BR /> for error_code in [search index=cisco_firewall | top error_code limit=5] --&gt; search index=cisco_firewall error_code=$error_code$ | top src limit=10</P> <P>so, for each of the top 5 error_code i want the top 10 IP's associated with each error_code</P> <P>then if possible, the count(error_code) by IP for each uniq error_code</P> Mon, 28 Sep 2020 11:33:25 GMT https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98791#M25463 cvajs 2020-09-28T11:33:25Z https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98792#M25464 <P>This should work,</P> <PRE><CODE>index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src </CODE></PRE> <P>The following link will explain in more detail.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork">http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork</A></P> <P>/Kristian</P> Thu, 22 Mar 2012 02:19:09 GMT https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98792#M25464 kristian_kolb 2012-03-22T02:19:09Z https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98793#M25465 <P>nah, this doesnt work the way i need. this only gives table of the top 10 src for the top 5 error codes. i need the table to show top 10 src per each of the top 5 error codes. so the output table will have 50 IP's, 10 per error_code, etc.</P> <P>and to add more complexity, would like a "count(src) by error_code" next to each of the IP's (this will indicate how many times this IP caused the event with this error code).</P> Thu, 22 Mar 2012 13:59:45 GMT https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98793#M25465 cvajs 2012-03-22T13:59:45Z https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98794#M25466 <P>index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src by error_code</P> <P>IF you add the "by error_code" at the end, does this do it?</P> Mon, 28 Sep 2020 11:33:41 GMT https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98794#M25466 lguinn2 2020-09-28T11:33:41Z https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98795#M25467 <P>ok, i get a weird output. i am expecting 50 lines in my table, but it only shows 28 and only 3 of the top 5 error codes. my table display is 50 per page. let me run some tests.</P> <P>ok, ran some tests, found why. there's an extraction issue for some events with specific event codes. as example: %ASA-5-304001 does not follow the same log format as say %ASA-4-106021 or %ASA-4-106023. could be a daunting task to find all of the problem codes and fix the extraction for each, but maybe not so bad for say top 10 or 20 error codes, etc.</P> Thu, 22 Mar 2012 20:31:16 GMT https://community.splunk.com/t5/Splunk-Search/Iteration-Function-Syntax/m-p/98795#M25467 cvajs 2012-03-22T20:31:16Z