Hi all,
How do I get two fileds "ip numbers" in an timechart?
I tried the aggregate fileds, but show up wrong in my visualisation of showing src and dst ip.
index=firewall dest_ip=* src=* dest_port=8090 action=blocked
| eval dstsrc=dest_ip . src
| timechart count by dstsrc
Regards Jan
Hi @janroc,
as I said, if you want a sapce between the two IPs you have to add it:
| eval dst_src=dest_ip." ".src
if you put dest_ip.src you make one field but without space between IPs.
Ciao.
Giuseppe
The ip numbers should show up as 1.1.1.1 2.2.2.2 but showing as 1.1.1.12.2.2.2
Hi @janroc,
as I said, if you want a sapce between the two IPs you have to add it:
| eval dst_src=dest_ip." ".src
if you put dest_ip.src you make one field but without space between IPs.
Ciao.
Giuseppe
Hi,
This will only give me a lot of NULL values now.
-J-
Hi @janroc,
if you have "dst_src" in the eval command, you have to use the same field name also in the stats command and not "dstsrc".
Ciao.
Giuseppe
My fault of typo, thank you 😐
Hi @janroc,
good for you, see next time!
Please accept one answer for the other people of Community
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @janroc,
what's the issue? have you results without executing the timechart command?
in other words are there events that match all the conditions (index=firewall dest_ip=* src=* dest_port=8090 action=blocked)?
And all events have both the fields with a not null value?
Anyway, your approach is correct, The only thing is that I don't like to have attached ip values, I'd use
index=firewall dest_ip=* src=* dest_port=8090 action=blocked
| eval dst_src=dest_ip."|".src
| timechart count by dst_src
Ciao.
Giuseppe