How do you show only specific categories in return...

markerton · ‎09-13-2018

I'm trying to run a simple search that shows only specific results and excludes the rest.

The results are coming from our proxy and I only want to show two categories: Malnets or Botnets; however when running the search it populates the results with additional categories (such as Health, Shopping, Technology, etc.). As it's going to be used in a dashboard, I only want to show the two intended categories and exclude the rest.

(I'm fairly new to Splunk so my knowledge is not very vast.)

The search I have so far is:

index=proxy category="*botnets" OR category="*malnets" | chart count by category | sort -count

I've tried searching around and trying a few other commands (like useother but can't seem to get it to work out how I want it.

Thanks in advance for any help.

zonistj · ‎09-13-2018

Hi! My best guess is that your proxy events have multiple categories per event. So, for example, a given event might have two categories: "malnets" and "shopping". That would make sense given that websites / traffic can fall into multiple categories.

Is there a unique ID for each event? If so, I recommend running something like this:

 index=proxy category="*botnets" 
|stats dc(category) values(category) by event_id

The intent here is to validate if you have multiple categories per event. The stats function is going to give you a count of how many unique categories as well as a listing of the unique category values per event. If you have a count larger than one and multiple categories listed in a given event then that confirms why you're seeing more categories than expected.

How do you show only specific categories in returned events?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor