Splunk Search

How do I edit my search to return a certain field value in my table of results?

phspec
Explorer

Hi,

I'm trying to return some results with the AppID that is being searched. My current search does everything I want except return the appID that is being searched. My search and results are below. Any help with constructing the proper search would be greatly appreciated.

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", application as "AppID"

Results:

UniqueSrcIP   UniqueDstIP   UniqueSrcPort   UniqueDstPort   ComboIPs   Sent       Rec        AppID
19          22          74            2            40        14545060   534759637   
0 Karma

phspec
Explorer

here's how to get the tabled results sorted by application

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by application | sort by application
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Interesting how the query I gave works when the application field is not renamed.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

woodcock
Esteemed Legend

Like this:

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) AS "AppID"
0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm surprised the query works without a function around the application field. Try this

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | rename application AS AppID | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID

or

index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) as "AppID"
---
If this reply helps you, an upvote would be appreciated.
0 Karma

phspec
Explorer

I downvoted this post because wrong answer

0 Karma

phspec
Explorer

including the rename still doesn't work. Neither of the methods you've described work.

0 Karma

phspec
Explorer

the "by AppID" gives me an error, The query looks like the comment above.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The rename command is missing.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

phspec
Explorer

Thanks for your help. I pretty much have the result I need. I just need my results to be sorted based on AppID rather than aggregating the results from all appID's. Could you help me with that? Do I use a "by AppID"?

index=index1 sourcetype=traffic application=ssh OR ping action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats values(application) as "AppID", dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID

AppID UniqueSrcIP UniqueDstIP UniqueSrcPort UniqueDstPort ComboIPs Sent Rec
"ping ssh"3447 68267 5921 6 73211 13690286344 1079036067

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The "by AppID" clause will display the results based on AppID rather than aggregating them.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!