Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I count by a field and then use that count to sort by in a table?

digital_alchemy
Path Finder
‎03-22-2013 08:46 AM

I'm new to Splunk we just started using it recently so please forgive the newbie question.

Current search:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | table severity signature src src_port dest dest_port

Results in:

severity     signature     src     src_port     dest     dest_port

I want to modify the search to provide a summary of the number of events comming from each src IP to the dest IP and be able to sort by that count.

Desired:

severity     signature     src     dest     dest_port     count

I've tried a few different searches such as this one:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | stats count by src | sort -num(count) | table severity signature src dest dest_port count

However this only populates the src and count column. I'm not quite sure what I'm missing.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

krugger
Communicator
‎03-22-2013 08:53 AM

I would say this is the most direct way of implementing what you are looking for:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | top severity,signature,src,src_port,dest,dest_port limit=50

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎03-22-2013 08:55 AM

If you use a stats, only the fields and results that are in the stats will exists after.

the basic search will be
sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode"
| stats count by severity signature src dest dest_port
| sort -num(count)

and if you just want the count per src and dest, you can group the others fields in a multiline result

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode"
| stats count values(severity) AS list_severity values(signature) AS list_signature values(dest_port) AS list_dest_port by src dest
| sort -num(count)

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-22-2013 08:53 AM

This works?

 your search |  stats count by severity src dest dest_port signature

/k

0 Karma
Reply
Solved! Jump to solution
Solution

krugger
Communicator
‎03-22-2013 08:53 AM

I would say this is the most direct way of implementing what you are looking for:

sourcetype=suricata* NOT tag=dev_profiler severity="high" signature="ET SHELLCODE Possible Call with No Offset UDP Shellcode" | top severity,signature,src,src_port,dest,dest_port limit=50

Reply
Solved! Jump to solution

digital_alchemy
Path Finder
‎03-22-2013 08:57 AM

Works perfectly... thanks for such a quick reply. I didn't even think of the top command I was stuck on using count and sort.

Thanks again.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...