Solved: Count matching values on seperated fields

Aufex · ‎07-31-2017

Hi there,
i try to buildup a firewall report:

"sourcetype="firewall" action=blocked | table host src dest src_port dest_port"

this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like

that would give a nice overview.

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

View solution in original post

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

Aufex · ‎08-01-2017

thank you. yes ports change a lot. i think its much smarter to display the zones 🙂

woodcock · ‎08-01-2017

Don't forget to click Accept to close the question.

Count matching values on seperated fields

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Count matching values on seperated fields

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers