Splunk Search
Highlighted

How to count total hits by certain fields?

Builder

I've been playing around with eval, transaction, and stats and I still can't figure this one out... so I'm asking for help. This is a search for an IDS system and what I'm trying to do is to list the the number of total hits by src_ip and signature. This is an example of what I've tried:

sourcetype="IDS" | transaction src_ip signature | table src_ip signature hit_count | sort -hit_count

These are the results that I'm getting (the hit counts are not totaled up):

src_ip          signature       hit_count
1.1.1.1         attack-A        100
                                200
                                200

2.2.2.2         attack-B        100
                                100
                                100

1.1.1.1         attack-B        50
                                50

1.1.1.1         attack-C        20
                                30

2.2.2.2         attack-X        8
                                2

3.3.3.3         attack-A        3
                                2

And these are the results that I'm looking for:

src_ip          signature       hit_count
1.1.1.1         attack-A        500
2.2.2.2         attack-B        300
1.1.1.1         attack-B        100
1.1.1.1         attack-C        50
2.2.2.2         attack-X        10
3.3.3.3         attack-A        5

Does anyone know how to do this? Thanks.

Tags (3)
0 Karma
Highlighted

Re: How to count total hits by certain fields?

SplunkTrust
SplunkTrust

Perhaps something like this?

sourcetype="IDS" | transaction src_ip signature | stats sum(hit_count) by src_ip as hits | table src_ip signature hits | sort -hits
---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: How to count total hits by certain fields?

Builder

Hi, thanks for the suggestion but when I just tried it, it returned no results- 151 matching events & no matching fields exist.

0 Karma
Highlighted

Re: How to count total hits by certain fields?

SplunkTrust
SplunkTrust

Try '... | stats sum(hitcount) by srcip,signature as hits | ...'

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to count total hits by certain fields?

Explorer

You have to rename the statistic before you group by srcip. Also, if you want the "signature" field in your table, you'll have to group by that field as well:
... | stats sum(hit
count) as hits by src_ip signature | table ...

View solution in original post

Highlighted

Re: How to count total hits by certain fields?

Builder

That worked perfectly, thank you!

0 Karma