Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get a report running with cumulative stats?

pbdiggins
Explorer
‎08-03-2022 09:43 AM

 

I run a stats command every hour to show a list of firewall rules that are getting hit in a particular way. My command works for the hourly run, but I can't get a report to keep a running total of my firewall rule hit count. I've tried the following, but it's not working. Can anyone help here?

index=rsyslog firewall-ABC [search index=rsyslog (IONET_allow_BLAH_in OR IONet_allow_BLAH_outbound) host=firewall_XYZ.nascom.nasa.gov | table source_address, destination_address, destination_port] NOT (policy_id=1 OR policy_id=2)| sistats count by policy_id, source_address, destination_address | summaryindex spool=t uselb=t addtime=t index="summary" file="RMD5eef7b35350423340_1029407874.stash_new" name="Delegation_Fails" marker=""

 

Thanks,

 

Paul

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2022 07:06 AM

You have an hourly report that writes data to a summary index.  To get a roll-up, run a separate report that reads from the summary index.

I may have given you a command that is too specific.  Try this

index="summary" search_name=<<your hourly report name>>
| stats count by policy_id, source_address, destination_address
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2022 11:17 AM

That query will produce hourly stats and write them to a summary index.  To get cumulative stats, read from the summary index.

index="summary" file="RMD5eef7b35350423340_1029407874.stash_new" name="Delegation_Fails" marker=""
| stats count by policy_id, source_address, destination_address

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pbdiggins
Explorer
‎08-04-2022 06:20 AM

Thanks for your reply, but I don't quite understand.

I'm running this as a report hourly,  how would I use this to accomplish my goals? I don't understand the change in the index...  When I try to run the command as you posted, I get no results within the default time window. I expand the time window to "all time" and still nothing.

Sorry. I'm new to this.. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2022 07:06 AM

You have an hourly report that writes data to a summary index.  To get a roll-up, run a separate report that reads from the summary index.

I may have given you a command that is too specific.  Try this

index="summary" search_name=<<your hourly report name>>
| stats count by policy_id, source_address, destination_address
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pbdiggins
Explorer
‎08-04-2022 07:30 AM

Thank you very much... That was the ticket!!

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...