Getting Data In

How to count total number of events from 2 fields that contains a port number?

akke
Explorer

I have a .csv with fields tcp_srcport, and tcp_dstport. I want to find the total amount of traffic using each port.

For example
Query 1:

index="index" 
| stats count by tcp_srcport

Results:

tcp_srcport  |  count
    22            6 
    80            54

Query 2:

index="index" 
| stats count by tcp_dstport

Results:

tcp_dstport  |  count
    22            1 
    80            73

However, what I'm looking for is:

Traffic per port  |  count
       22              7 
       80             127

How do I do this?

Tags (3)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@akke,

Try

index="index" | eval Traffic_Per_Port=tcp_srcport+"#"+tcp_dstport|makemv Traffic_Per_Port delim="#"
| stats count by Traffic_Per_Port
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@akke,

Try

index="index" | eval Traffic_Per_Port=tcp_srcport+"#"+tcp_dstport|makemv Traffic_Per_Port delim="#"
| stats count by Traffic_Per_Port
Happy Splunking!

akke
Explorer

It works perfectly! Thank you!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...