Solved: Re: Get top 20 countries from Cisco ASA events

madstylex · ‎02-08-2016

Hi,

I am searching my Cisco ASA logs to count where an IP originates from by country.

It looks like this:

eventtype= | iplocation src_ip | stats count by Country

It works well to give me a count of all the countries, but I can't get it to give me the top 20 only. I have tried multiple combinations of the 'top' and 'head'

I don't want to just choose 20 results per page as I need to generate reports for this.

Can anyone help me out?

renjith_nair · ‎02-08-2016

Try

eventtype= | iplocation src_ip | stats count by Country|sort 20 - count

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

renjith_nair · ‎02-08-2016

Try

eventtype= | iplocation src_ip | stats count by Country|sort 20 - count

---
What goes around comes around. If it helps, hit it with Karma 🙂

madstylex · ‎02-08-2016

This worked, thanks

javiergn · ‎02-08-2016

You can try this instead:

eventtype= | iplocation src_ip | top limit=20 Country

Get top 20 countries from Cisco ASA events

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

Get top 20 countries from Cisco ASA events

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits