Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to group by tcp ports with "TCP_High_Port" or "UDP_High_Port" instead?

johnsonchuanglf
New Member
‎11-27-2019 07:31 PM

I have list of output here from command. With stats command it comes with long list of service (tcp or udp high ports), is there any command to group by them with condition if port number greater than 1024? It would be grateful if you guys can help. Thanks!

index=someindex |stats count by dstip service|sort count|stats values(service) list(count) by dstip

OUTPUT
services dstip
tcp_1028 192.168.1.10
tcp_1029
tcp_1030
tcp/10100
tcp/10108
tcp_2056 192.168.1.20
tcp_2068
udp_3378
udp_4069

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎11-28-2019 04:00 AM

@johnsonchuanglf,

Try

"your base search"
|rex field=services "(?<protocol>\w{3})[_\/](?<port>\d+)"
|stats count(eval(port>1024)) as count,values(services) as services by protocol,dstip

You may remove values(services) if you do not want the list with the count

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

johnsonchuanglf
New Member
‎11-28-2019 05:48 PM

Thanks for your help. Shall I have the result with TCP_High_Port return instead of "list of service values"?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...