Solved: Re: How to combine my two searches in Splunk?

Maheshparsi · ‎07-14-2015

Hi All,

I have 2 searches of a log file to be merged as one. When I execute them separately, it is working. Please find below:

For File_Transfer:

source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | stats sum(bytes)  as File_Transfer by src_ip | eval File_Transfer=File_Transfer." MB"

For Infrastructure:

source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2)  | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85| stats sum(bytes)  as Infrastructure by src_ip| eval Infrastructure =Infrastructure ." MB"

Can you please suggest a solution for this.

Thanks in Advance.

Regards,
Mahesh.

jacobwilkins · ‎07-14-2015

In your original question you gave this:

| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85

But in your comment, you said this:

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?

Here is an untested example, and I'm totally changing your field names to make more sense.

source="F:Splunk_Log Files*" status="Allow" 
 | eval kb=recv_bytes/1024
 | stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip

I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.

View solution in original post

sanjay_shrestha · ‎07-14-2015

Hi Mahesh,

Something like following using stats with eval should work and it is preferable to use rename instead of eval for renaming fields.

source="F:Splunk_Log Files*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|stats sum(bytes) as File_Transfer  sum(eval(if( Start>=1 AND End<=85,bytes,0))) as Infrastructure by src_ip| rename Infrastructure  AS Infrastructure ." MB"| rename File_Transfer AS File_Transfer." MB"

Thanks,
Sanjay

jacobwilkins · ‎07-14-2015

In your original question you gave this:

| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85

But in your comment, you said this:

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?

Here is an untested example, and I'm totally changing your field names to make more sense.

source="F:Splunk_Log Files*" status="Allow" 
 | eval kb=recv_bytes/1024
 | stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip

I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.

koshyk · ‎07-14-2015

do you need to view the output results in a single row or multiple rows?

Maheshparsi · ‎07-14-2015

I need values of "File_Transfer" and "Infrastructure" in multiple columns by "src_ip".
src_ip,dst_ip,recv_bytes,status are columns in my log file.

These are my sample values:

src_ip=192.0.0.0
dst_ip=223.255.255.255
recv_bytes=12432
status=Allow

For File_Transfer, I need sum(recv_bytes ) by src_ip

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

the output table should contain columns as File_Transfer,Infrastructure,src_ip.

Thanks,
Mahesh.

How to combine my two searches in Splunk?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!