topic Compiling stats for netstat output in Splunk Search https://community.splunk.com/t5/Splunk-Search/Compiling-stats-for-netstat-output/m-p/160356#M45326 <P>Is it possible to take raw netstat input like this:</P> <PRE><CODE>Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 10.181.112.50:34656 10.157.88.10:11210 ESTABLISHED 1001 121024 6925/sync_gateway tcp 0 0 10.181.112.50:38528 10.109.187.75:11210 TIME_WAIT 1001 121039 6925/sync_gateway tcp 0 0 10.181.112.50:39648 10.109.176.116:11210 ESTABLISHED 1001 121056 6925/sync_gateway Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 10.181.112.50:34656 10.157.88.10:11210 ESTABLISHED 1001 121024 6925/sync_gateway tcp 0 0 10.181.112.50:38528 10.109.187.75:11210 TIME_WAIT 1001 121039 6925/sync_gateway tcp 0 0 10.181.112.50:39648 10.109.176.116:11210 TIME_WAIT 1001 121056 6925/sync_gateway </CODE></PRE> <P>and for each "reading" (separated by the Proto Recv-Q header) compute stats like:</P> <H2>Reading 1</H2> <P>ESTABLISHED: 2 <BR /> TIME_WAIT: 1</P> <H2>Reading 2</H2> <P>ESTABLISHED: 1<BR /> TIME_WAIT: 2</P> <P>If it would make it easier to put each netstat reading into it's own file, that would work too.</P> Thu, 18 Jun 2015 00:16:12 GMT tleyden 2015-06-18T00:16:12Z Compiling stats for netstat output https://community.splunk.com/t5/Splunk-Search/Compiling-stats-for-netstat-output/m-p/160356#M45326 <P>Is it possible to take raw netstat input like this:</P> <PRE><CODE>Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 10.181.112.50:34656 10.157.88.10:11210 ESTABLISHED 1001 121024 6925/sync_gateway tcp 0 0 10.181.112.50:38528 10.109.187.75:11210 TIME_WAIT 1001 121039 6925/sync_gateway tcp 0 0 10.181.112.50:39648 10.109.176.116:11210 ESTABLISHED 1001 121056 6925/sync_gateway Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 10.181.112.50:34656 10.157.88.10:11210 ESTABLISHED 1001 121024 6925/sync_gateway tcp 0 0 10.181.112.50:38528 10.109.187.75:11210 TIME_WAIT 1001 121039 6925/sync_gateway tcp 0 0 10.181.112.50:39648 10.109.176.116:11210 TIME_WAIT 1001 121056 6925/sync_gateway </CODE></PRE> <P>and for each "reading" (separated by the Proto Recv-Q header) compute stats like:</P> <H2>Reading 1</H2> <P>ESTABLISHED: 2 <BR /> TIME_WAIT: 1</P> <H2>Reading 2</H2> <P>ESTABLISHED: 1<BR /> TIME_WAIT: 2</P> <P>If it would make it easier to put each netstat reading into it's own file, that would work too.</P> Thu, 18 Jun 2015 00:16:12 GMT https://community.splunk.com/t5/Splunk-Search/Compiling-stats-for-netstat-output/m-p/160356#M45326 tleyden 2015-06-18T00:16:12Z Re: Compiling stats for netstat output https://community.splunk.com/t5/Splunk-Search/Compiling-stats-for-netstat-output/m-p/160357#M45327 <P>I am assuming that each "reading" is a separate event. If so, you need the <CODE>multikv</CODE> command and this should work:</P> <PRE><CODE>... | streamstats current=t count AS reading | multikv | stats count by reading State </CODE></PRE> Sat, 20 Jun 2015 14:49:03 GMT https://community.splunk.com/t5/Splunk-Search/Compiling-stats-for-netstat-output/m-p/160357#M45327 woodcock 2015-06-20T14:49:03Z