Hi,
I'm trying to return some results with the AppID that is being searched. My current search does everything I want except return the appID that is being searched. My search and results are below. Any help with constructing the proper search would be greatly appreciated.
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", application as "AppID"
Results:
UniqueSrcIP UniqueDstIP UniqueSrcPort UniqueDstPort ComboIPs Sent Rec AppID
19 22 74 2 40 14545060 534759637
here's how to get the tabled results sorted by application
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by application | sort by application
Interesting how the query I gave works when the application field is not renamed.
Like this:
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) AS "AppID"
I'm surprised the query works without a function around the application field. Try this
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | rename application AS AppID | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID
or
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) as "AppID"
I downvoted this post because wrong answer
including the rename still doesn't work. Neither of the methods you've described work.
the "by AppID" gives me an error, The query looks like the comment above.
The rename
command is missing.
Thanks for your help. I pretty much have the result I need. I just need my results to be sorted based on AppID rather than aggregating the results from all appID's. Could you help me with that? Do I use a "by AppID"?
index=index1 sourcetype=traffic application=ssh OR ping action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats values(application) as "AppID", dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID
AppID UniqueSrcIP UniqueDstIP UniqueSrcPort UniqueDstPort ComboIPs Sent Rec
"ping ssh"3447 68267 5921 6 73211 13690286344 1079036067
The "by AppID" clause will display the results based on AppID rather than aggregating them.