Splunk Search

How to count different fields from different hosts?

dwear
Explorer

Pardon if this is easy, I just finished going through the Searching and Reporting class and am attempting to utilize what I learned in practice.

I'm attempting to correlate the number of malware events each endpoint on my network occurs over a given period. To do that, I need to count data from multiple hosts. The problem I'm running into, is the host identifies the endpoint in a different context in the log messages. In the logs, the victim endpoint might be identified as src=, dst= or dvc=. This is what I searched so far, but I don't know how to "count by" if the field is different. Thanks for any help.

(host="10.128.16.45" src=*) OR (host=”10.128.16.71” dst=*)|stats count by ??? |sort -count
0 Karma

masonmorales
Influencer

Could you post some sample data and perhaps a mock-up of what you want the results to look at?

0 Karma

dwear
Explorer

Since I'm still new, I can't post a image of my logs but here is the generalization.

Appliance A: Malware Alert src=10.128.36.100 dst=96.127.180.106

Appliance B: Malware Alert src=96.127.180.106 dst=10.128.36.100

In this example I only care about listing the internal IP's or anything with 10.128.36.*

If I only use one appliance it works perfectly. I do host="Appliance A" src=* |stats count by src |sort -count

The issue is since Appliance A and Appliance B have the 10.128.36 network in different fields, how to I count both those fields, without counting ALL src and ALL dst?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use the coalesce command to combine the different fields into a new field.

(host="10.128.16.45" src=*) OR (host=”10.128.16.71” dst=*)| eval newField = coalesce(src, dst, svc) | stats count by newField |sort -count
---
If this reply helps you, Karma would be appreciated.

dwear
Explorer

Thanks! Since both src and dst are in almost all of my logs, wont coalesce collect ALL those values when I only really care about half of them? I only really care about whichever field contains the 10.128 network.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, you are correct. That wasn't clear from your original posting. Here's another approach.

host=* | eval addr=case(cidrmatch("10.128.36/24",src),src,cidrmatch("10.128.36/24",dst),dst) | stats count by addr | sort - count
---
If this reply helps you, Karma would be appreciated.

dwear
Explorer

Awesome thanks Rich. Since I have numerous other, non relevant devices sending data to the same splunk instance, I had filtered it down some. It looks like its working correctly, can you just verify my syntax isn't over including or excluding anything?

host=10.128.16.71 OR host=10.128.16.45 | eval addr=case(cidrmatch("10.128/16",src),src,cidrmatch("10.128./16",dst),dst) | stats count by addr | sort - count

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's an extra '.' in your second CIDR. Otherwise, it looks fine. Of course, I don't know your network configuration so I don't know if your CIDRs are correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...