Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Append Eventtype to Top listing

EricPartington
Communicator
‎03-23-2011 02:30 AM

I have a listing of top denied connections that lists the src_ip, dest_ip, count for the top 10 denied connections that match an eventtype pattern (eventtype=UT*)

Each row in the table relates to a unique eventtype UT1234, UT2345, UT4567 ..etc

How can I have the output table of the top 10 denied connections show the eventtype (that matches a UT* pattern, there could be a few eventtypes that might match - eventtype=firewall-deny, eventtype=tivoli) for each row?

1.1.1.1 2.2.2.2 20 UT1234
1.1.1.2 2.2.2.3 19 UT2345
1.1.1.3 2.2.2.4 18 UT4567

THis feels like it should be some form of appending to the top command but I havent found the appropriate one yet.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...