Re: How to make a graph of the following query

christianubeda · ‎07-27-2018

Hi team!

It's my very first time with Splunk and I need help.

This is my query and I would like to make a graph that will tell me the number of events per day during a week

index=xxx_paloalto sourcetype="pan:traffic" type=TRAFFIC
(src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
(dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") | bin _time span=20s

| stats values(src_zone) as src_zone,count, values(dest_ip) as dest_ip,values(dest_zone) as dest_zone, values(user) as User, values(vendor_action) as Action by src_ip, generated_time | where (mvcount(dest_ip) >= 10)

I want to transform this number into a count.

Thank you!

Ayn · ‎07-27-2018

Add a | stats count to the end. 🙂

christianubeda · ‎07-27-2018

Perfect! Now I have a number!

Just one more thing. How can I do now a grafh? I need events per day in 7 days.

I mean L 8 events, M 4 events, X 9 eventes...

Thanks!

DalJeanis · ‎07-27-2018

instead of

| stats count

do

| bin  generated_time as _time span=1d
| stats count by _time

niketn · ‎07-27-2018

@christianubeda, instead of you could do dc(dest_ip) as unique_dest_ip_count in your stats itself. Then use | where unique_dest_ip_count >= 10. Finally add | stats count as suggested by Ayn

index=xxx_paloalto sourcetype="pan:traffic" type=TRAFFIC 
(src_zone!="Inet-WAN1" AND src_zone!="Inet-WAN2")
(dest_zone!="Inet-WAN1" AND dest_zone!="Inet-WAN2") 
| bin _time span=20s
| stats dc(dest_ip) as unique_dest_ip_count by src_ip, generated_time
| where unique_dest_ip_count >= 10
| stats count

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to make a graph of the following query

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes