Solved: Get top 20 countries from Cisco ASA events

madstylex · ‎02-08-2016

Hi,

I am searching my Cisco ASA logs to count where an IP originates from by country.

It looks like this:

eventtype= | iplocation src_ip | stats count by Country

It works well to give me a count of all the countries, but I can't get it to give me the top 20 only. I have tried multiple combinations of the 'top' and 'head'

I don't want to just choose 20 results per page as I need to generate reports for this.

Can anyone help me out?

renjith_nair · ‎02-08-2016

Try

eventtype= | iplocation src_ip | stats count by Country|sort 20 - count

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎02-08-2016

Try

eventtype= | iplocation src_ip | stats count by Country|sort 20 - count

---
What goes around comes around. If it helps, hit it with Karma 🙂

madstylex · ‎02-08-2016

This worked, thanks

javiergn · ‎02-08-2016

You can try this instead:

eventtype= | iplocation src_ip | top limit=20 Country

Get top 20 countries from Cisco ASA events

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation