Values and counts

vishwanadhan_mu · ‎08-06-2019

Ex: query=google.com , yahoo.com
src= xyz-pc , abc-pc

I want to know the count of queries to each domain queried by an individual computer.

For example, If I see a computer xyz-pc going to malicious sites multiple times everyday. I want to create a bin/bucket list to find, how many blocked queries and how many times the source computer has reached out to.

Thanks.
Vish

woodcock · ‎08-07-2019

Like this:

... | stats count BY query src
| sort 0 - count
| stats list(*) AS * BY src
| stats sum(count) AS TotalCount BY src
| sort 0 - TotalCount

vishwanadhan_mu · ‎08-11-2019

Could you pleas explain me how it works, if possible.

Especially the sort 0

woodcock · ‎08-13-2019

Does this work for you? The 0 on the sort makes it unlimited (the command has a stupid default that trims the result set). To see what it is doing, just add in each line one by one.

vishwanadhan_mu · ‎08-13-2019

IT worked. Thanks a lot

woodcock · ‎08-14-2019

OK, then you should come back and click Accept on the answer to close the question.

Values and counts

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?