I'm trying to run a simple search that shows only specific results and excludes the rest.
The results are coming from our proxy and I only want to show two categories: Malnets or Botnets; however when running the search it populates the results with additional categories (such as Health, Shopping, Technology, etc.). As it's going to be used in a dashboard, I only want to show the two intended categories and exclude the rest.
(I'm fairly new to Splunk so my knowledge is not very vast.)
The search I have so far is:
index=proxy category="*botnets" OR category="*malnets" | chart count by category | sort -count
I've tried searching around and trying a few other commands (like useother but can't seem to get it to work out how I want it.
Thanks in advance for any help.
Hi! My best guess is that your proxy events have multiple categories per event. So, for example, a given event might have two categories: "malnets" and "shopping". That would make sense given that websites / traffic can fall into multiple categories.
Is there a unique ID for each event? If so, I recommend running something like this:
index=proxy category="*botnets"
|stats dc(category) values(category) by event_id
The intent here is to validate if you have multiple categories per event. The stats function is going to give you a count of how many unique categories as well as a listing of the unique category values per event. If you have a count larger than one and multiple categories listed in a given event then that confirms why you're seeing more categories than expected.