Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I do all that in one search string, or do i have to create a search for each index?

HathMH
Path Finder
‎09-09-2022 12:56 PM

I am not sure how to word this so I'm going to bring it as an example.

We have 3 firewalls that send logs for ingestion. Each FW is for a separate purpose so they are configured slightly differently. Each appliance has their logs ingested into Splunk to go into separate indexes (due to their purposes and location in the logical topology). Within each firewall, there are of course field values that are helpful to sort and do stats on.

Now my question:

I am still learning spl, reading through Exploring Splunk by Carasso, so I don't have a full understanding in all the nuances.

In one search string, can I reference each index, create a table for each index, which further divides and displays that index into categories like firewall action as one field, type of request as another field, and then provide stat counts on each of those categories (how many of field 1, field 2, etc) and then also provide a total bandwidth displayed (bytes)....all this within the same table.

Index FW1

            stat count ------  FW Action ---- (nested sort) Type of Request ---- bytes total

Index FW2

            stat count ------  FW Action ---- (nested sort) Type of Request ---- bytes total

Index FW3

            stat count ------  FW Action ---- (nested sort) Type of Request ---- bytes total

 

Can I do all that in one search string, or do i have to create a search for each index?

Labels (5)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-09-2022 05:05 PM

Can I do all that in one search string, or do i have to create a search for each index?

The short answer is yes, you can - always.  A more nuanced answer is: How you want it done?  The long answer depends on possible additional functionality you may want in this table, amount of potential rows, and your aesthetics.

Assuming all illustrated columns are already extracted, a basic layout could be

indexcountFW ActionType of Requestbytes todal
FW1100allowedtype1FW1 total
FW150allowedtype2FW1 total
FW120deniedtype1FW1 total
FW2150allowedtype1FW2 total

In this layout, I assume that "bytes total" is total per FW, not per action per request.  This layout also does not perform any kind of cell merge trickery. (The above illustration uses color-codes to indicate inherently identical values.  In Splunk's output tables, cell merge is mere trickery.  If you merge rows, any additional functionality can only be carried on the merged cells.)

To output a table like this, you can do something like

index=FW*
| stats count sum(eval('bytes total')) as "bytes total" by index "FW Action" "Type of Request"
| eventstats sum(eval('bytes total')) as "bytes total" by index
| sort index "FW Action" "Type of Request"

This is a very long way to say that you should illustrate and explain your desired layout.  Hope this helps.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...