Splunk Search

How do I edit my search to return a certain field value in my table of results?

Explorer

Hi,

I'm trying to return some results with the AppID that is being searched. My current search does everything I want except return the appID that is being searched. My search and results are below. Any help with constructing the proper search would be greatly appreciated.

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", application as "AppID"

Results:

UniqueSrcIP   UniqueDstIP   UniqueSrcPort   UniqueDstPort   ComboIPs   Sent       Rec        AppID
19          22          74            2            40        14545060   534759637   
0 Karma

Explorer

here's how to get the tabled results sorted by application

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by application | sort by application
0 Karma

SplunkTrust
SplunkTrust

Interesting how the query I gave works when the application field is not renamed.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Esteemed Legend

Like this:

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) AS "AppID"
0 Karma

SplunkTrust
SplunkTrust

I'm surprised the query works without a function around the application field. Try this

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | rename application AS AppID | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID

or

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) as "AppID"
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

I downvoted this post because wrong answer

0 Karma

Explorer

including the rename still doesn't work. Neither of the methods you've described work.

0 Karma

Explorer

the "by AppID" gives me an error, The query looks like the comment above.

0 Karma

SplunkTrust
SplunkTrust

The rename command is missing.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Explorer

Thanks for your help. I pretty much have the result I need. I just need my results to be sorted based on AppID rather than aggregating the results from all appID's. Could you help me with that? Do I use a "by AppID"?

index=index1 sourcetype=traffic application=ssh OR ping action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats values(application) as "AppID", dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID

AppID UniqueSrcIP UniqueDstIP UniqueSrcPort UniqueDstPort ComboIPs Sent Rec
"ping ssh"3447 68267 5921 6 73211 13690286344 1079036067

0 Karma

SplunkTrust
SplunkTrust

The "by AppID" clause will display the results based on AppID rather than aggregating them.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!