Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why am I only and always getting results from host...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
null0
New Member
06-24-2018
11:46 PM
hello guys,
This is my simple query for port flapping detection
eventtype="cisco_ios-port_down" OR eventtype="cisco_ios-port_up" AND
((host=10.29.18.*) OR (host=10.29.23.*)) OR ((host=10.29.72.*) OR (host=10.29.28.*)) OR ((host=10.11.40.*) OR (host=10.11.41.*) OR (host=10.11.42.*) OR (host=10.11.43.*) OR (host=10.11.44.*) OR (host=10.11.45.*) OR (host=10.11.46.*) OR (host=10.11.47.*) OR (host=10.11.2.*) OR (host=10.11.68.*) OR (host=10.11.2.*)) OR (host=10.29.56.*)
| rex field=host "10\.29\.56\.(?<range_10_29_56>\d{1,3})"
| where (range_10_29_56 >= 0 AND range_10_29_56 <= 127)
| stats count,latest(port_status) AS port_status by host,src_interface | sort -count | table host,src_interface,port_status,count
Any hint about why i'm only and always getting results from host in 10.29.56.X network? i'm sure about the existence of entries for others networks.
many thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-25-2018
12:13 AM
You will always get result from from host in 10.29.56.X network due to where condition
| where (range_10_29_56 >= 0 AND range_10_29_56 <= 127)
it will take only those which will satisfy above condition and other network host never contain field- range_10_29_56 so it will never be seen so try fillnull-
eventtype="cisco_ios-port_down" OR eventtype="cisco_ios-port_up" AND
((host=10.29.18.*) OR (host=10.29.23.*)) OR ((host=10.29.72.*) OR (host=10.29.28.*)) OR ((host=10.11.40.*) OR (host=10.11.41.*) OR (host=10.11.42.*) OR (host=10.11.43.*) OR (host=10.11.44.*) OR (host=10.11.45.*) OR (host=10.11.46.*) OR (host=10.11.47.*) OR (host=10.11.2.*) OR (host=10.11.68.*) OR (host=10.11.2.*)) OR (host=10.29.56.*)
| rex field=host "10\.29\.56\.(?<range_10_29_56>\d{1,3})"
|fillnull
| where (range_10_29_56 >= 0 AND range_10_29_56 <= 127)
| stats count,latest(port_status) AS port_status by host,src_interface | sort -count | table host,src_interface,port_status,count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
06-25-2018
12:13 AM
You will always get result from from host in 10.29.56.X network due to where condition
| where (range_10_29_56 >= 0 AND range_10_29_56 <= 127)
it will take only those which will satisfy above condition and other network host never contain field- range_10_29_56 so it will never be seen so try fillnull-
eventtype="cisco_ios-port_down" OR eventtype="cisco_ios-port_up" AND
((host=10.29.18.*) OR (host=10.29.23.*)) OR ((host=10.29.72.*) OR (host=10.29.28.*)) OR ((host=10.11.40.*) OR (host=10.11.41.*) OR (host=10.11.42.*) OR (host=10.11.43.*) OR (host=10.11.44.*) OR (host=10.11.45.*) OR (host=10.11.46.*) OR (host=10.11.47.*) OR (host=10.11.2.*) OR (host=10.11.68.*) OR (host=10.11.2.*)) OR (host=10.29.56.*)
| rex field=host "10\.29\.56\.(?<range_10_29_56>\d{1,3})"
|fillnull
| where (range_10_29_56 >= 0 AND range_10_29_56 <= 127)
| stats count,latest(port_status) AS port_status by host,src_interface | sort -count | table host,src_interface,port_status,count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
null0
New Member
06-25-2018
12:58 AM
seems that it works fine. i've never heard abt this cmd FILLNULL. many thx to all
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
06-25-2018
12:08 AM
@null0, following query seems to restrict the results to range 10.29.56.###
| rex field=host "10\.29\.56\.(?<range_10_29_56>\d{1,3})"
| where (range_10_29_56 >= 0 AND range_10_29_56 <= 127)
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
