Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append Eventtype to Top listing

EricPartington
Communicator
‎03-23-2011 02:30 AM

I have a listing of top denied connections that lists the src_ip, dest_ip, count for the top 10 denied connections that match an eventtype pattern (eventtype=UT*)

Each row in the table relates to a unique eventtype UT1234, UT2345, UT4567 ..etc

How can I have the output table of the top 10 denied connections show the eventtype (that matches a UT* pattern, there could be a few eventtypes that might match - eventtype=firewall-deny, eventtype=tivoli) for each row?

1.1.1.1 2.2.2.2 20 UT1234
1.1.1.2 2.2.2.3 19 UT2345
1.1.1.3 2.2.2.4 18 UT4567

THis feels like it should be some form of appending to the top command but I havent found the appropriate one yet.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...