How do I edit my search to get a total sum of list...

mikesangray · ‎10-05-2015

I've got this search working to show me allowed (!=blocked) network activity that lists the dest_ip, and dest_port, grouped by src with a count for each. Now I just want to get the total number of hits so I can eventually sort by highest hit count per individual src.

How can I get the total? I'm assuming I would use the list(count) column numbers, but no luck so far.

index=firewall action!=blocked src={your.ip.address}
|stats count by src,dest_port,dest_ip |stats list by src

knielsen · ‎10-07-2015

Hi,

If I understood correctly, you simply need to use it like this:

index=firewall action!=blocked src={your.ip.address}
 |stats count by src,dest_port,dest_ip |stats list sum(count) by src

Hth,
Kai.

somesoni2 · ‎10-05-2015

Try something like this

 index=firewall action!=blocked src={your.ip.address}
 |stats count by src,dest_port,dest_ip | eventstats sum(count) as count_src by src | sort 0 src count_src dest_port dest_ip

mikesangray · ‎10-05-2015

hm...no, with that string I lose my grouping. I'm working with this for now. Not ideal, but I'm getting the data I want.

index=firewall action!=blocked src={your.ip.address}
|stats count by src,dest_port,dest_ip |eventstats sum(count) by dest_ip |stats list by src

How do I edit my search to get a total sum of list(count)?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms