I am using the Splunk App for *nix to gather netstat data, and I am trying to find the number of connections to the port 44221. I am using this search string, but am unable to figure out how to get a count of the occurrences within each event since there are no obvious fields, it is just formatted like the netstat command from the terminal.
index=os sourcetype="netstat" host="hostname" 44221
The command successfully highlights each line with that port number, so I imagine there has to be a very simple way to get the count of matches within each event, but I haven't found it yet.
If index=os sourcetype="netstat" host="hostname" 44221 | stats count
doesn't give you what you are looking for, try using rex
to extract the values into a field. You could do something like this (assuming your terminal command is netstat -e
)
index=os sourcetype="netstat" host="hostname" 44221 | rex ":(?<port>\d+)" | stats count by port
If index=os sourcetype="netstat" host="hostname" 44221 | stats count
doesn't give you what you are looking for, try using rex
to extract the values into a field. You could do something like this (assuming your terminal command is netstat -e
)
index=os sourcetype="netstat" host="hostname" 44221 | rex ":(?<port>\d+)" | stats count by port
Thanks for your quick reply!
index=os sourcetype="netstat" host="hostname" 44221 | stats count
just gives me the number of events that contain 44221, which is just the same as the time I'm searching because it is indexed once per minute.
index=os sourcetype="netstat" host="hostname" 44221 | rex ":(?\d+)" | stats count by port
seems to only pull out the first port that is listed by the netstat in each event (which happens to be 32000 for me) and count those, which again is just the same as the time period being searched. I think this is on the right track, but I need to to grab specifically the port 44221, and I also need it to count every occurrence of that in each event and display it as a running total.
If an event can have multiple occurrences, you can add a max_match=0
to the rex
command that will capture all occurrences. Then you could use mvcount()
or other multi-value functions to manipulate that field. Something like this
index=os sourcetype="netstat" host="hostname" 44221 | rex max_match=0 ":(?<port>\d+)" | eval c=mvcount(port)
http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/rex
http://docs.splunk.com/Documentation/Splunk/6.2.0/Search/Parsemultivaluefields
Thanks, this did it for me! to add for anyone who finds this in the future, my final search was
index=os sourcetype="netstat" host="hostname" | rex max_match=0 ":(?<port>4422\d|5432)" | eval c=mvcount(port) | stats c by port
I used ":(?4422\d|5432)"
which matched only the ports I cared about, and the stats c by port
gave me a pretty chart of the data.