Solved: Re: Count matching values on seperated fields

Aufex · ‎07-31-2017

Hi there,
i try to buildup a firewall report:

"sourcetype="firewall" action=blocked | table host src dest src_port dest_port"

this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like

that would give a nice overview.

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

View solution in original post

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

Aufex · ‎08-01-2017

thank you. yes ports change a lot. i think its much smarter to display the zones 🙂

woodcock · ‎08-01-2017

Don't forget to click Accept to close the question.

Count matching values on seperated fields

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!