Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Webproxy search help

fdevera
Path Finder
‎11-04-2020 02:19 PM

Hi I've got this webproxy ES base search where I'm trying to show high number of destinations from a low number of sources. I would also like to throttle the search by going back 24hr, then only looking at the most recent time. How best to do that?

| tstats `summariesonly` count min(_time) as first_seen max(_time) as last_seen values(Web.action) as Web.action from datamodel=Web.Web WHERE index=webproxy Web.action=allowed
by Web.src Web.dest
| `drop_dm_object_name("Web")`
| convert ctime(*_seen)
| lookup dnslookup clientip AS dest OUTPUT clienthost AS dest_host
| lookup dnslookup clientip AS src OUTPUT clienthost AS src_host
| search NOT src_host=drekar-rancher-ccena*
| sort - count

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

fdevera
Path Finder
‎11-05-2020 08:10 AM

Bump

0 Karma
Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Get Updates on the Splunk Community!