Solved: Re: Create Multi-Value field based 4 fields

jachockey012 · ‎01-06-2021

So basically I have some network logs and by base search filters down to source IP, destination IP, destination port, and protocol. I am trying to figure out a way to iterate over all events and group based off the 4-tuple data mentioned above. Below is an image of what I am thinking. You'll notice I added an ID field and I figured that would somehow be the equivalent to ID+=1 at the end of a loop or something.

The original data is bro logs. If you need a list of all the fields below is a link and the source is the conn.log (the green box on the first page)
http://gauss.ececs.uc.edu/Courses/c6055/pdf/bro_log_vars.pdf

ITWhisperer · ‎01-07-2021

| eval tuple='src-ip'.'dst-ip'.'dst-port'.'proto'
| stats list(src-ip) as src-ip list(dst-ip) as dst-ip list(dst-port) as dst-port list(proto) as proto by tuple
| streamstats count as id
| fields - tuple

View solution in original post

ITWhisperer · ‎01-07-2021

| eval tuple='src-ip'.'dst-ip'.'dst-port'.'proto'
| stats list(src-ip) as src-ip list(dst-ip) as dst-ip list(dst-port) as dst-port list(proto) as proto by tuple
| streamstats count as id
| fields - tuple

jachockey012 · ‎01-07-2021

Effective... Thank you very much.

Create Multi-Value field based 4 fields

eval

other

stats

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!