Splunk Search
Highlighted

Count Command

Explorer

Hi,

I'm experiencing some difficulties when using count, the below search query works by listing sip (source ip) against all the siganmes (signatures) which were triggered against the sip. I'm trying to break this down further with a count of these signatures, so:

sip signature count
1.1.1.1 UDP Flood 4
TCP Flood 56
2.2.2.2 UDP Flood 6
TCP Flood 34

I've constructed the following search:

idp-01 signame=* | transaction sip signame count by eventid | table sip signame |stats list(signame) by sip

eventid is a unique reference for each event, this gives me:

sip list(signature)
1.1.1.1 UDP Flood
UDP Flood
UDP Flood
TCP Flood
TCP Flood
TCP Flood
TCP Flood
[repeats 56 times]

Any clues where I’m going wrong here?

Thanks.

Tags (1)
0 Karma
Highlighted

Re: Count Command

Motivator

hello

Try this:

...| stats count by sip, signature

View solution in original post

Highlighted

Re: Count Command

Explorer

Hi gfunete, no joy...
Thanks

0 Karma
Highlighted

Re: Count Command

Legend

What do you mean no joy - what are your results and how do they differ from the results you want?

0 Karma
Highlighted

Re: Count Command

Explorer

counting by sip, signame breaks the table with two columns sip and list(signature), with the sip detailing the source ip associated with the signatures triggered. I'm looking for a third column with a count of the number of times each signature was triggered. Each log has a unique field "eventid" so was looking at using this as a counter.

0 Karma
Highlighted

Re: Count Command

Motivator

Try:
...| stats dc(eventid) by sip, signature

0 Karma
Highlighted

Re: Count Command

Explorer

Thanks gfuente works a treat 😉

0 Karma