Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine my two searches in Splunk?

Maheshparsi
Explorer
‎07-14-2015 03:18 AM

Hi All,

I have 2 searches of a log file to be merged as one. When I execute them separately, it is working. Please find below:

For File_Transfer:

source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | stats sum(bytes)  as File_Transfer by src_ip | eval File_Transfer=File_Transfer." MB"

For Infrastructure:

source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2)  | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85| stats sum(bytes)  as Infrastructure by src_ip| eval Infrastructure =Infrastructure ." MB"

Can you please suggest a solution for this.

Thanks in Advance.

Regards,
Mahesh.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎07-14-2015 06:22 AM

In your original question you gave this: 

| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85

But in your comment, you said this:

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?

Here is an untested example, and I'm totally changing your field names to make more sense.

source="F:Splunk_Log Files*" status="Allow" 
 | eval kb=recv_bytes/1024
 | stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip

I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.

View solution in original post

Reply
Solved! Jump to solution

sanjay_shrestha
Contributor
‎07-14-2015 06:28 AM

Hi Mahesh,

Something like following using stats with eval should work and it is preferable to use rename instead of eval for renaming fields.

source="F:Splunk_Log Files*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|stats sum(bytes) as File_Transfer  sum(eval(if( Start>=1 AND End<=85,bytes,0))) as Infrastructure by src_ip| rename Infrastructure  AS Infrastructure ." MB"| rename File_Transfer AS File_Transfer." MB"

Thanks,
Sanjay

Reply
Solved! Jump to solution
Solution

jacobwilkins
Communicator
‎07-14-2015 06:22 AM

In your original question you gave this: 

| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85

But in your comment, you said this:

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?

Here is an untested example, and I'm totally changing your field names to make more sense.

source="F:Splunk_Log Files*" status="Allow" 
 | eval kb=recv_bytes/1024
 | stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip

I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.

Reply
Solved! Jump to solution

koshyk
Super Champion
‎07-14-2015 03:33 AM

do you need to view the output results in a single row or multiple rows?

0 Karma
Reply
Solved! Jump to solution

Maheshparsi
Explorer
‎07-14-2015 04:19 AM

I need values of "File_Transfer" and "Infrastructure" in multiple columns by "src_ip".
src_ip,dst_ip,recv_bytes,status are columns in my log file.

These are my sample values:

src_ip=192.0.0.0
dst_ip=223.255.255.255
recv_bytes=12432
status=Allow

For File_Transfer, I need sum(recv_bytes ) by src_ip

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

the output table should contain columns as File_Transfer,Infrastructure,src_ip.

Thanks,
Mahesh.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...