Knowledge Management

Data Model Query

sumitkathpal
Explorer

Dear Experts,

Kindly help to modify Query on Data Model, I have built the query.

| tstats summariesonly dc(All_Traffic.src) as src_count from datamodel=Network_Traffic where * by All_Traffic.dest | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort -src_count

Above Query display the Dest IP and Count (Dest IP which matches with Network Traffic and CSV , Result will be displayed) , Also in my Ip.Csv there is field Ip , So i rename to All_Traffic.dest to match the value . Till now everything is fine , Now i am looking for result : Src IP , Dest IP and Count .

Note: I am only comparing Dest IP with CSV no other field.

Tags (1)
1 Solution

reed_kelly
Contributor

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count

View solution in original post

reed_kelly
Contributor

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count

jkat54
SplunkTrust
SplunkTrust

What is your new query and what error are you having now?

0 Karma

sumitkathpal
Explorer

Thanks, I am not getting the errors , above query give the information about incoming ip address hitting on firewall matches with lookup file. I am getting the out Src IP (Matched IP from Lookup) and Count. Now i want to see Src IP , Count and Dest Ip .

Above Query will give provide below output.
Src IP Src_Count
10.10.10.10 5
But i need output:

Src IP Dest Ip Src_Count
10.10.10.10 x.x.x.x 2

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...