Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get two fileds "ip numbers" in an timechart?

janroc
Explorer
‎08-26-2022 01:06 AM

Hi all,

How do I get two fileds "ip numbers" in an timechart?
I tried the aggregate fileds, but show up wrong in my visualisation of showing src and dst ip.

index=firewall dest_ip=* src=* dest_port=8090 action=blocked
| eval dstsrc=dest_ip . src
| timechart count by dstsrc

Regards Jan

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 02:11 AM

Hi @janroc,

as I said, if you want a sapce between the two IPs you have to add it:

| eval dst_src=dest_ip." ".src

if you put dest_ip.src you make one field but without space between IPs.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

janroc
Explorer
‎08-26-2022 01:54 AM

The ip numbers should show up as 1.1.1.1 2.2.2.2 but showing as 1.1.1.12.2.2.2

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 02:11 AM

Hi @janroc,

as I said, if you want a sapce between the two IPs you have to add it:

| eval dst_src=dest_ip." ".src

if you put dest_ip.src you make one field but without space between IPs.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

janroc
Explorer
‎08-26-2022 03:36 AM

Hi,

This will only give me a lot of NULL values now.

-J-

 

janroc_0-1661510158132.png

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 05:35 AM

Hi @janroc,

if you have "dst_src" in the eval command, you have to use the same field name also in the stats command and not "dstsrc".

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

janroc
Explorer
‎08-26-2022 06:11 AM

My fault of typo, thank you 😐

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-27-2022 01:46 AM

Hi @janroc,

good for you, see next time!

Please accept one answer for the other people of Community

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-26-2022 01:13 AM

Hi @janroc,

what's the issue? have you results without executing the timechart command?

in other words are there events that match all the conditions (index=firewall dest_ip=* src=* dest_port=8090 action=blocked)?

And all events have both the fields with a not null value?

Anyway, your approach is correct, The only thing is that I don't like to have attached ip values, I'd use

index=firewall dest_ip=* src=* dest_port=8090 action=blocked
| eval dst_src=dest_ip."|".src
| timechart count by dst_src

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...