Getting Data In

How to count total number of events from 2 fields that contains a port number?

akke
Explorer

I have a .csv with fields tcp_srcport, and tcp_dstport. I want to find the total amount of traffic using each port.

For example
Query 1:

index="index" 
| stats count by tcp_srcport

Results:

tcp_srcport  |  count
    22            6 
    80            54

Query 2:

index="index" 
| stats count by tcp_dstport

Results:

tcp_dstport  |  count
    22            1 
    80            73

However, what I'm looking for is:

Traffic per port  |  count
       22              7 
       80             127

How do I do this?

Tags (3)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@akke,

Try

index="index" | eval Traffic_Per_Port=tcp_srcport+"#"+tcp_dstport|makemv Traffic_Per_Port delim="#"
| stats count by Traffic_Per_Port
Happy Splunking!

View solution in original post

renjith_nair
SplunkTrust
SplunkTrust

@akke,

Try

index="index" | eval Traffic_Per_Port=tcp_srcport+"#"+tcp_dstport|makemv Traffic_Per_Port delim="#"
| stats count by Traffic_Per_Port
Happy Splunking!

akke
Explorer

It works perfectly! Thank you!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...