Splunk Search

How do I count by a field and then use that count to sort by in a table?

digital_alchemy
Path Finder

I'm new to Splunk we just started using it recently so please forgive the newbie question.

Current search:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | table severity signature src src_port dest dest_port

Results in:

severity     signature     src     src_port     dest     dest_port

I want to modify the search to provide a summary of the number of events comming from each src IP to the dest IP and be able to sort by that count.

Desired:

severity     signature     src     dest     dest_port     count

I've tried a few different searches such as this one:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | stats count by src | sort -num(count) | table severity signature src dest dest_port count

However this only populates the src and count column. I'm not quite sure what I'm missing.

Tags (3)
0 Karma
1 Solution

krugger
Communicator

I would say this is the most direct way of implementing what you are looking for:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | top severity,signature,src,src_port,dest,dest_port limit=50

View solution in original post

yannK
Splunk Employee
Splunk Employee

If you use a stats, only the fields and results that are in the stats will exists after.

the basic search will be
sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode"
| stats count by severity signature src dest dest_port
| sort -num(count)

and if you just want the count per src and dest, you can group the others fields in a multiline result

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode"
| stats count values(severity) AS list_severity values(signature) AS list_signature values(dest_port) AS list_dest_port by src dest
| sort -num(count)

0 Karma

kristian_kolb
Ultra Champion

This works?

 your search |  stats count by severity src dest dest_port signature

/k

0 Karma

krugger
Communicator

I would say this is the most direct way of implementing what you are looking for:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | top severity,signature,src,src_port,dest,dest_port limit=50

View solution in original post

digital_alchemy
Path Finder

Works perfectly... thanks for such a quick reply. I didn't even think of the top command I was stuck on using count and sort.

Thanks again.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!