Splunk Search
Highlighted

Count matching values on seperated fields

New Member

Hi there,
i try to buildup a firewall report:

"sourcetype="firewall" action=blocked | table host src dest srcport destport"

this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like

HOST | SRC | DEST | SRCPORT | DESTPORT | COUNT

that would give a nice overview.

0 Karma
Highlighted

Re: Count matching values on seperated fields

Contributor

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

View solution in original post

Highlighted

Re: Count matching values on seperated fields

New Member

thank you. yes ports change a lot. i think its much smarter to display the zones 🙂

0 Karma
Highlighted

Re: Count matching values on seperated fields

Esteemed Legend

Don't forget to click Accept to close the question.

0 Karma