Solved: How to count total number of events from 2 fields ...

akke · ‎09-28-2019

I have a .csv with fields tcp_srcport, and tcp_dstport. I want to find the total amount of traffic using each port.

For example
Query 1:

index="index" 
| stats count by tcp_srcport

Results:

tcp_srcport  |  count
    22            6 
    80            54

Query 2:

index="index" 
| stats count by tcp_dstport

Results:

tcp_dstport  |  count
    22            1 
    80            73

However, what I'm looking for is:

Traffic per port  |  count
       22              7 
       80             127

How do I do this?

renjith_nair · ‎09-28-2019

@akke,

Try

index="index" | eval Traffic_Per_Port=tcp_srcport+"#"+tcp_dstport|makemv Traffic_Per_Port delim="#"
| stats count by Traffic_Per_Port

---
What goes around comes around. If it helps, hit it with Karma 🙂

renjith_nair · ‎09-28-2019

@akke,

Try

index="index" | eval Traffic_Per_Port=tcp_srcport+"#"+tcp_dstport|makemv Traffic_Per_Port delim="#"
| stats count by Traffic_Per_Port

---
What goes around comes around. If it helps, hit it with Karma 🙂

akke · ‎09-28-2019

It works perfectly! Thank you!

How to count total number of events from 2 fields that contains a port number?