Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you show only specific categories in returned events?

markerton
New Member
‎09-13-2018 02:43 AM

I'm trying to run a simple search that shows only specific results and excludes the rest.

The results are coming from our proxy and I only want to show two categories: Malnets or Botnets; however when running the search it populates the results with additional categories (such as Health, Shopping, Technology, etc.). As it's going to be used in a dashboard, I only want to show the two intended categories and exclude the rest.

(I'm fairly new to Splunk so my knowledge is not very vast.)

The search I have so far is:

index=proxy category="*botnets" OR category="*malnets" | chart count by category | sort -count

I've tried searching around and trying a few other commands (like useother but can't seem to get it to work out how I want it.

Thanks in advance for any help.

0 Karma
Reply

zonistj
Path Finder
‎09-13-2018 03:18 PM

Hi! My best guess is that your proxy events have multiple categories per event. So, for example, a given event might have two categories: "malnets" and "shopping". That would make sense given that websites / traffic can fall into multiple categories.

Is there a unique ID for each event? If so, I recommend running something like this:

 index=proxy category="*botnets" 
|stats dc(category) values(category) by event_id

The intent here is to validate if you have multiple categories per event. The stats function is going to give you a count of how many unique categories as well as a listing of the unique category values per event. If you have a count larger than one and multiple categories listed in a given event then that confirms why you're seeing more categories than expected.

Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...