Solved: Re: Count matching values on seperated fields

Aufex · ‎07-31-2017

Hi there,
i try to buildup a firewall report:

"sourcetype="firewall" action=blocked | table host src dest src_port dest_port"

this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like

that would give a nice overview.

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

View solution in original post

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

Aufex · ‎08-01-2017

thank you. yes ports change a lot. i think its much smarter to display the zones 🙂

woodcock · ‎08-01-2017

Don't forget to click Accept to close the question.

Count matching values on seperated fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation