- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I do all that in one search string, or do i ha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I do all that in one search string, or do i have to create a search for each index?
I am not sure how to word this so I'm going to bring it as an example.
We have 3 firewalls that send logs for ingestion. Each FW is for a separate purpose so they are configured slightly differently. Each appliance has their logs ingested into Splunk to go into separate indexes (due to their purposes and location in the logical topology). Within each firewall, there are of course field values that are helpful to sort and do stats on.
Now my question:
I am still learning spl, reading through Exploring Splunk by Carasso, so I don't have a full understanding in all the nuances.
In one search string, can I reference each index, create a table for each index, which further divides and displays that index into categories like firewall action as one field, type of request as another field, and then provide stat counts on each of those categories (how many of field 1, field 2, etc) and then also provide a total bandwidth displayed (bytes)....all this within the same table.
Index FW1
stat count ------ FW Action ---- (nested sort) Type of Request ---- bytes total
Index FW2
stat count ------ FW Action ---- (nested sort) Type of Request ---- bytes total
Index FW3
stat count ------ FW Action ---- (nested sort) Type of Request ---- bytes total
Can I do all that in one search string, or do i have to create a search for each index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I do all that in one search string, or do i have to create a search for each index?
The short answer is yes, you can - always. A more nuanced answer is: How you want it done? The long answer depends on possible additional functionality you may want in this table, amount of potential rows, and your aesthetics.
Assuming all illustrated columns are already extracted, a basic layout could be
| index | count | FW Action | Type of Request | bytes todal |
| FW1 | 100 | allowed | type1 | FW1 total |
| FW1 | 50 | allowed | type2 | FW1 total |
| FW1 | 20 | denied | type1 | FW1 total |
| FW2 | 150 | allowed | type1 | FW2 total |
In this layout, I assume that "bytes total" is total per FW, not per action per request. This layout also does not perform any kind of cell merge trickery. (The above illustration uses color-codes to indicate inherently identical values. In Splunk's output tables, cell merge is mere trickery. If you merge rows, any additional functionality can only be carried on the merged cells.)
To output a table like this, you can do something like
index=FW*
| stats count sum(eval('bytes total')) as "bytes total" by index "FW Action" "Type of Request"
| eventstats sum(eval('bytes total')) as "bytes total" by index
| sort index "FW Action" "Type of Request"This is a very long way to say that you should illustrate and explain your desired layout. Hope this helps.
Infographic provides the TL;DR for the 2024 Splunk Career Impact Report
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
