Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to count different fields from different hosts?

dwear
Explorer
‎01-29-2016 08:37 AM

Pardon if this is easy, I just finished going through the Searching and Reporting class and am attempting to utilize what I learned in practice.

I'm attempting to correlate the number of malware events each endpoint on my network occurs over a given period. To do that, I need to count data from multiple hosts. The problem I'm running into, is the host identifies the endpoint in a different context in the log messages. In the logs, the victim endpoint might be identified as src=, dst= or dvc=. This is what I searched so far, but I don't know how to "count by" if the field is different. Thanks for any help. 

(host="10.128.16.45" src=*) OR (host=”10.128.16.71” dst=*)|stats count by ??? |sort -count
0 Karma
Reply

masonmorales
Influencer
‎01-29-2016 10:52 AM

Could you post some sample data and perhaps a mock-up of what you want the results to look at?

0 Karma
Reply

dwear
Explorer
‎01-29-2016 11:05 AM

Since I'm still new, I can't post a image of my logs but here is the generalization. 

Appliance A: Malware Alert src=10.128.36.100 dst=96.127.180.106

Appliance B: Malware Alert src=96.127.180.106 dst=10.128.36.100

In this example I only care about listing the internal IP's or anything with 10.128.36.*

If I only use one appliance it works perfectly. I do host="Appliance A" src=* |stats count by src |sort -count

The issue is since Appliance A and Appliance B have the 10.128.36 network in different fields, how to I count both those fields, without counting ALL src and ALL dst?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2016 09:54 AM

Use the coalesce command to combine the different fields into a new field.

(host="10.128.16.45" src=*) OR (host=”10.128.16.71” dst=*)| eval newField = coalesce(src, dst, svc) | stats count by newField |sort -count
---
If this reply helps you, Karma would be appreciated.
Reply

dwear
Explorer
‎01-29-2016 11:11 AM

Thanks! Since both src and dst are in almost all of my logs, wont coalesce collect ALL those values when I only really care about half of them? I only really care about whichever field contains the 10.128 network.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2016 11:28 AM

Yes, you are correct. That wasn't clear from your original posting. Here's another approach.

host=* | eval addr=case(cidrmatch("10.128.36/24",src),src,cidrmatch("10.128.36/24",dst),dst) | stats count by addr | sort - count
---
If this reply helps you, Karma would be appreciated.
Reply

dwear
Explorer
‎02-01-2016 11:55 AM

Awesome thanks Rich. Since I have numerous other, non relevant devices sending data to the same splunk instance, I had filtered it down some. It looks like its working correctly, can you just verify my syntax isn't over including or excluding anything?

host=10.128.16.71 OR host=10.128.16.45 | eval addr=case(cidrmatch("10.128/16",src),src,cidrmatch("10.128./16",dst),dst) | stats count by addr | sort - count

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2016 04:36 AM

There's an extra '.' in your second CIDR. Otherwise, it looks fine. Of course, I don't know your network configuration so I don't know if your CIDRs are correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...