Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get a report running with cumulative stats?

pbdiggins
Explorer
‎08-03-2022 09:43 AM

 

I run a stats command every hour to show a list of firewall rules that are getting hit in a particular way. My command works for the hourly run, but I can't get a report to keep a running total of my firewall rule hit count. I've tried the following, but it's not working. Can anyone help here?

index=rsyslog firewall-ABC [search index=rsyslog (IONET_allow_BLAH_in OR IONet_allow_BLAH_outbound) host=firewall_XYZ.nascom.nasa.gov | table source_address, destination_address, destination_port] NOT (policy_id=1 OR policy_id=2)| sistats count by policy_id, source_address, destination_address | summaryindex spool=t uselb=t addtime=t index="summary" file="RMD5eef7b35350423340_1029407874.stash_new" name="Delegation_Fails" marker=""

 

Thanks,

 

Paul

 

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2022 07:06 AM

You have an hourly report that writes data to a summary index.  To get a roll-up, run a separate report that reads from the summary index.

I may have given you a command that is too specific.  Try this

index="summary" search_name=<<your hourly report name>>
| stats count by policy_id, source_address, destination_address
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2022 11:17 AM

That query will produce hourly stats and write them to a summary index.  To get cumulative stats, read from the summary index.

index="summary" file="RMD5eef7b35350423340_1029407874.stash_new" name="Delegation_Fails" marker=""
| stats count by policy_id, source_address, destination_address

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pbdiggins
Explorer
‎08-04-2022 06:20 AM

Thanks for your reply, but I don't quite understand.

I'm running this as a report hourly,  how would I use this to accomplish my goals? I don't understand the change in the index...  When I try to run the command as you posted, I get no results within the default time window. I expand the time window to "all time" and still nothing.

Sorry. I'm new to this.. Thanks.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2022 07:06 AM

You have an hourly report that writes data to a summary index.  To get a roll-up, run a separate report that reads from the summary index.

I may have given you a command that is too specific.  Try this

index="summary" search_name=<<your hourly report name>>
| stats count by policy_id, source_address, destination_address
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

pbdiggins
Explorer
‎08-04-2022 07:30 AM

Thank you very much... That was the ticket!!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...