Solved: Re: How to edit my search to rename the legend IP ...

loudainmarc · ‎03-02-2017

my search:

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* | timechart count(src_port) by src_ip

now, the resulting bar graph is good but the legend shows the specific IP, but i want to replace that specific IP (in the legend) with a nickname of the CIDR which it came from...how?

somesoni2 · ‎03-03-2017

Try like this

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* 
| eval src_ip=case(cidrmatch("CIDR1",src_ip),"CIDR1",cidrmatch("CIDR2",src_ip),"CIDR2",1=1,"CIDR3")  
| timechart count(src_port) by src_ip

View solution in original post

somesoni2 · ‎03-03-2017

Try like this

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* 
| eval src_ip=case(cidrmatch("CIDR1",src_ip),"CIDR1",cidrmatch("CIDR2",src_ip),"CIDR2",1=1,"CIDR3")  
| timechart count(src_port) by src_ip

loudainmarc · ‎03-05-2017

thanks for the assist team, works great

DalJeanis · ‎03-03-2017

Here's one way, if your src_ips and nicknames are relatively static, you can put them inline in the search using this method...

| join type=left src_ip [|makeresults | eval mylookup="CIDR1,My CIDR1 nickname!!!!CIDR2,My CIDR2 nickname!!!!CIDR3,My CIDR3 nickname" | makemv delim="!!!!" mylookup | mvexpand mylookup |makemv delim="," mylookup | eval src_ip=mvindex(mylookup,0),src_ip_nickname=mvindex(mylookup,1)| table src_ip src_ip_nickname]
| table _time src_ip src_ip_nickname src_port
| timechart count(src_port) by src_ip_nickname

The format for each individual lookup is...

src_ip[comma]nickname with spaces allowed[four exclamation points]

For a larger set of IPs, you'll want to use inputlookup or inputcsv instead of this method. If you establish a lookup table named mylookup.csv with columns src_ip and src_ip_nickname

| join type=left src_ip [|inputcsv mylookup.csv]
| table _time src_ip src_ip_nickname src_port
| timechart count(src_port) by src_ip_nickname

For the curious, this code generates some test data for the above code...

| gentimes start="01/25/2017:23:00:00" end="01/27/2017:01:00:00" increment=23m 
| streamstats count as baseEvent | eval series="CIDR1"
| append[| gentimes start="01/26/2017:03:00:00" end="01/26/2017:21:00:00" increment=47m | streamstats count as baseEvent | eval series="CIDR2"]
| append[| gentimes start="01/26/2017:01:17:00" end="01/26/2017:23:18:00" increment=21m | streamstats count as baseEvent | eval series="CIDR3"]
| eval rand1 = random()
| eval adder1 = tonumber(substr(tostring(rand1),1,4))
| eval adder2 = tonumber(substr(tostring(rand1),max(len(rand1)-4,3),4))
| eval sometimes=mvappend(tostring(starttime),tostring(starttime+adder1),tostring(starttime+adder2))
| mvexpand sometimes 
| eval _time=sometimes 
| eval rand2 = random() 
| eval value=substr(rand2,len(rand2)-2,2)
| eval rand3 = random()
| eval src_port= case(rand3>1800000000,"foo11",rand3>1200000000,"foo12",rand3>600000000,"foo13",true(),"foo14")
| rename series as src_ip
| table _time src_ip src_port

How to edit my search to rename the legend IP to a CIDR nickname in the resulting bar chart?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...