Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Count matching values on seperated fields

Aufex
Explorer
‎07-31-2017 11:41 PM

Hi there,
i try to buildup a firewall report:

"sourcetype="firewall" action=blocked | table host src dest src_port dest_port"

this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like

HOST | SRC | DEST | SRC_PORT | DEST_PORT | COUNT

that would give a nice overview.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-01-2017 01:13 AM

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

View solution in original post

Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-01-2017 01:13 AM

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port
Reply
Solved! Jump to solution

Aufex
Explorer
‎08-01-2017 01:17 AM

thank you. yes ports change a lot. i think its much smarter to display the zones 🙂

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-01-2017 08:13 PM

Don't forget to click Accept to close the question.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...