Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get two fileds "ip numbers" in an timechart?

janroc
Explorer
‎08-26-2022 01:06 AM

Hi all,

How do I get two fileds "ip numbers" in an timechart?
I tried the aggregate fileds, but show up wrong in my visualisation of showing src and dst ip.

index=firewall dest_ip=* src=* dest_port=8090 action=blocked
| eval dstsrc=dest_ip . src
| timechart count by dstsrc

Regards Jan

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 02:11 AM

Hi @janroc,

as I said, if you want a sapce between the two IPs you have to add it:

| eval dst_src=dest_ip." ".src

if you put dest_ip.src you make one field but without space between IPs.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

janroc
Explorer
‎08-26-2022 01:54 AM

The ip numbers should show up as 1.1.1.1 2.2.2.2 but showing as 1.1.1.12.2.2.2

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 02:11 AM

Hi @janroc,

as I said, if you want a sapce between the two IPs you have to add it:

| eval dst_src=dest_ip." ".src

if you put dest_ip.src you make one field but without space between IPs.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

janroc
Explorer
‎08-26-2022 03:36 AM

Hi,

This will only give me a lot of NULL values now.

-J-

 

janroc_0-1661510158132.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 05:35 AM

Hi @janroc,

if you have "dst_src" in the eval command, you have to use the same field name also in the stats command and not "dstsrc".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

janroc
Explorer
‎08-26-2022 06:11 AM

My fault of typo, thank you 😐

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-27-2022 01:46 AM

Hi @janroc,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 01:13 AM

Hi @janroc,

what's the issue? have you results without executing the timechart command?

in other words are there events that match all the conditions (index=firewall dest_ip=* src=* dest_port=8090 action=blocked)?

And all events have both the fields with a not null value?

Anyway, your approach is correct, The only thing is that I don't like to have attached ip values, I'd use

index=firewall dest_ip=* src=* dest_port=8090 action=blocked
| eval dst_src=dest_ip."|".src
| timechart count by dst_src

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...