Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to use datamodel field values in tstats to fil...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
08-31-2018
07:33 PM
I'm trying to search my Intrusion Detection datamodel when the src_ip is a specific CIDR to limit the results but can't seem to get the search right. Is this possible?
| tstats count from datamodel=Intrusion_Detection where (nodename IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")
| `drop_dm_object_name("Intrusion_Detection")`
| fields src, dest, dest_port
WORKING QUERY
| tstats count from datamodel=Intrusion_Detection where (nodename = IDS_Attacks (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")) groupby IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.SrcPort, IDS_Attacks.dest_port
| `drop_dm_object_name("IDS_Attacks")`
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
08-31-2018
07:49 PM
It's should be possible to filter using where. Are you getting result for
| tstats count from datamodel=Intrusion_Detection where (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")
EDIT : Working search from @DEAD_BEEF,
| tstats count from datamodel=Intrusion_Detection where (nodename = IDS_Attacks (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")) groupby IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.SrcPort, IDS_Attacks.dest_port
| `drop_dm_object_name("IDS_Attacks")`
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
08-31-2018
07:49 PM
It's should be possible to filter using where. Are you getting result for
| tstats count from datamodel=Intrusion_Detection where (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")
EDIT : Working search from @DEAD_BEEF,
| tstats count from datamodel=Intrusion_Detection where (nodename = IDS_Attacks (IDS_Attacks.src="1.2.3.4/30" OR IDS_Attacks.dest="5.6.7.8/30")) groupby IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.SrcPort, IDS_Attacks.dest_port
| `drop_dm_object_name("IDS_Attacks")`
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DEAD_BEEF
Builder
08-31-2018
08:33 PM
That worked, thanks! Added the working query in the original question for future readers. Re-post it as response so I can accept it please.
Get Updates on the Splunk Community!
What the End of Support for Splunk Add-on Builder Means for You
Hello Splunk Community!
We want to share an important update regarding the future of the Splunk Add-on Builder ...
Solve, Learn, Repeat: New Puzzle Channel Now Live
Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
