Knowledge Management

Data Model Query

sumitkathpal
Explorer

Dear Experts,

Kindly help to modify Query on Data Model, I have built the query.

| tstats summariesonly dc(All_Traffic.src) as src_count from datamodel=Network_Traffic where * by All_Traffic.dest | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort -src_count

Above Query display the Dest IP and Count (Dest IP which matches with Network Traffic and CSV , Result will be displayed) , Also in my Ip.Csv there is field Ip , So i rename to All_Traffic.dest to match the value . Till now everything is fine , Now i am looking for result : Src IP , Dest IP and Count .

Note: I am only comparing Dest IP with CSV no other field.

Tags (1)
1 Solution

reed_kelly
Contributor

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count

View solution in original post

reed_kelly
Contributor

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count

jkat54
SplunkTrust
SplunkTrust

What is your new query and what error are you having now?

0 Karma

sumitkathpal
Explorer

Thanks, I am not getting the errors , above query give the information about incoming ip address hitting on firewall matches with lookup file. I am getting the out Src IP (Matched IP from Lookup) and Count. Now i want to see Src IP , Count and Dest Ip .

Above Query will give provide below output.
Src IP Src_Count
10.10.10.10 5
But i need output:

Src IP Dest Ip Src_Count
10.10.10.10 x.x.x.x 2

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...