Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Append Eventtype to Top listing

EricPartington
Communicator
‎03-23-2011 02:30 AM

I have a listing of top denied connections that lists the src_ip, dest_ip, count for the top 10 denied connections that match an eventtype pattern (eventtype=UT*)

Each row in the table relates to a unique eventtype UT1234, UT2345, UT4567 ..etc

How can I have the output table of the top 10 denied connections show the eventtype (that matches a UT* pattern, there could be a few eventtypes that might match - eventtype=firewall-deny, eventtype=tivoli) for each row?

1.1.1.1 2.2.2.2 20 UT1234
1.1.1.2 2.2.2.3 19 UT2345
1.1.1.3 2.2.2.4 18 UT4567

THis feels like it should be some form of appending to the top command but I havent found the appropriate one yet.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...