Archive

Search for ports by host

Path Finder

Hi All!
What search commands can I use to get results like this?

alt text

Tags (1)

Esteemed Legend

Like this:

... | stats first(status) BY host port
| stats list(port) AS port list(status) AS status BY host
0 Karma

SplunkTrust
SplunkTrust

@vumanhtai, multiple ips can be connecting to same port. So ideally you should have the result other way around

 <YourBaseSearch>
| eval port_status=port." - ".status
| stats values(port_status) as port_status by host
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Super Champion
...|stats list(port) as port, list(status) as status by host

OR

...|stats values(port) as port, values(status) as status by host

You can try this...
list() does not dedup while values() will dedup

0 Karma