Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Count matching values on seperated fields

Aufex
Explorer
‎07-31-2017 11:41 PM

Hi there,
i try to buildup a firewall report:

"sourcetype="firewall" action=blocked | table host src dest src_port dest_port"

this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like

HOST | SRC | DEST | SRC_PORT | DEST_PORT | COUNT

that would give a nice overview.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-01-2017 01:13 AM

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

View solution in original post

Reply
Solved! Jump to solution
Solution

knielsen
Contributor
‎08-01-2017 01:13 AM

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port
Reply
Solved! Jump to solution

Aufex
Explorer
‎08-01-2017 01:17 AM

thank you. yes ports change a lot. i think its much smarter to display the zones 🙂

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎08-01-2017 08:13 PM

Don't forget to click Accept to close the question.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...