This is my search....
index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country
This will only show me a count of 10 for each country. How can I get the top count per country?
I saw something about limit=0, but I do not know where to put this???
mcbradford, I don't follow how your last post links to this. If you want to update your question then you need to click on the edit button on your original question, posting replies as answers only confuses matters 🙂 As below, what part of the results are wrong?
index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country, count, src_ip | search client_country!="United States" search client_country!=""| stats sum(count) by client_country | sort -sum(count)
When I did this I get....
Error in 'top' command: The output count field conflicts with the input field 'count'. Use the 'countfield' option to specify a different name.
my search now is...
index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | top count limit=1
but this errors
hmm, see my updated answer
|top 100 src_ip
Change that to;
|top 100 src_ip limit=1 |
The limit field is part of the top command and can be changed to set how many top results you want to display.
Edit: Actually, you probably need to add to the end of your search;
| top count limit=1
Edit edit:
Ok, how about;
index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | rename count AS cc_count | top cc_count limit=1
I haven't got Splunk running atm so this is just from memory, it may be a conflict between the counts so lets do a rename and top of that
what part of the results are incorrect?
no error - but the results are not correct
Still does not work.