Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I do all that in one search string, or do i have to create a search for each index?

HathMH
Path Finder
‎09-09-2022 12:56 PM

I am not sure how to word this so I'm going to bring it as an example.

We have 3 firewalls that send logs for ingestion. Each FW is for a separate purpose so they are configured slightly differently. Each appliance has their logs ingested into Splunk to go into separate indexes (due to their purposes and location in the logical topology). Within each firewall, there are of course field values that are helpful to sort and do stats on.

Now my question:

I am still learning spl, reading through Exploring Splunk by Carasso, so I don't have a full understanding in all the nuances.

In one search string, can I reference each index, create a table for each index, which further divides and displays that index into categories like firewall action as one field, type of request as another field, and then provide stat counts on each of those categories (how many of field 1, field 2, etc) and then also provide a total bandwidth displayed (bytes)....all this within the same table.

Index FW1

            stat count ------  FW Action ---- (nested sort) Type of Request ---- bytes total

Index FW2

            stat count ------  FW Action ---- (nested sort) Type of Request ---- bytes total

Index FW3

            stat count ------  FW Action ---- (nested sort) Type of Request ---- bytes total

 

Can I do all that in one search string, or do i have to create a search for each index?

Labels (5)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-09-2022 05:05 PM

Can I do all that in one search string, or do i have to create a search for each index?

The short answer is yes, you can - always.  A more nuanced answer is: How you want it done?  The long answer depends on possible additional functionality you may want in this table, amount of potential rows, and your aesthetics.

Assuming all illustrated columns are already extracted, a basic layout could be

indexcountFW ActionType of Requestbytes todal
FW1100allowedtype1FW1 total
FW150allowedtype2FW1 total
FW120deniedtype1FW1 total
FW2150allowedtype1FW2 total

In this layout, I assume that "bytes total" is total per FW, not per action per request.  This layout also does not perform any kind of cell merge trickery. (The above illustration uses color-codes to indicate inherently identical values.  In Splunk's output tables, cell merge is mere trickery.  If you merge rows, any additional functionality can only be carried on the merged cells.)

To output a table like this, you can do something like

index=FW*
| stats count sum(eval('bytes total')) as "bytes total" by index "FW Action" "Type of Request"
| eventstats sum(eval('bytes total')) as "bytes total" by index
| sort index "FW Action" "Type of Request"

This is a very long way to say that you should illustrate and explain your desired layout.  Hope this helps.

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...