topic Re: Returning top 10 values of a unique field and then return top 3 values that accessed that unique field in Splunk Search

Returning top 10 values of a unique field and then return top 3 values that accessed that unique field

cheukkay — Sun, 21 Jul 2013 09:42:56 GMT

I have a firewall log and I would like to get the top 10 ports of a unique field named SPT(source port). After retrieving the top 10 ports , I want to retrieve the top 3 IP addresses with the most counts for each port. My data is something like this :

SRC=217.208.27.84 SPT=10007

SRC=11.11.11.71 SPT=80

SRC=209.178.173.93 SPT=1035

What i need will be in a format like

SPT ... SRC .........Count..........Percent

10.... 81.42.1.24 .....50...............50%

....... 21.4.2.4 .........35...............35%
.

........81.52.5.2 .......15...............15%

23 ...81.42.1.24 .......60...............60%

....... 12.32.12.3 .......30...............30%
.

........823.4.2.4..........10...............10%

Any idea how??? Thanks alot

Re: Returning top 10 values of a unique field and then return top 3 values that accessed that unique field

Ayn — Sun, 21 Jul 2013 10:11:32 GMT

This is very similar to the very example that's used for explaining subsearches in the docs:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Tutorial/Useasubsearch

<yoursearch> [search <yoursearch> | top 10 spt | fields spt] | top 3 src by spt

Re: Returning top 10 values of a unique field and then return top 3 values that accessed that unique field

cheukkay — Sun, 21 Jul 2013 10:48:52 GMT

Thank you so much! Really appreciate your help! Cheers 😄