Splunk Search

How to edit my search to rename the legend IP to a CIDR nickname in the resulting bar chart?

loudainmarc
Explorer

my search:

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* | timechart count(src_port) by src_ip

now, the resulting bar graph is good but the legend shows the specific IP, but i want to replace that specific IP (in the legend) with a nickname of the CIDR which it came from...how?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* 
| eval src_ip=case(cidrmatch("CIDR1",src_ip),"CIDR1",cidrmatch("CIDR2",src_ip),"CIDR2",1=1,"CIDR3")  
| timechart count(src_port) by src_ip

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* 
| eval src_ip=case(cidrmatch("CIDR1",src_ip),"CIDR1",cidrmatch("CIDR2",src_ip),"CIDR2",1=1,"CIDR3")  
| timechart count(src_port) by src_ip
0 Karma

loudainmarc
Explorer

thanks for the assist team, works great

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's one way, if your src_ips and nicknames are relatively static, you can put them inline in the search using this method...

| join type=left src_ip [|makeresults | eval mylookup="CIDR1,My CIDR1 nickname!!!!CIDR2,My CIDR2 nickname!!!!CIDR3,My CIDR3 nickname" | makemv delim="!!!!" mylookup | mvexpand mylookup |makemv delim="," mylookup | eval src_ip=mvindex(mylookup,0),src_ip_nickname=mvindex(mylookup,1)| table src_ip src_ip_nickname]
| table _time src_ip src_ip_nickname src_port
| timechart count(src_port) by src_ip_nickname

The format for each individual lookup is...

src_ip[comma]nickname with spaces allowed[four exclamation points]

For a larger set of IPs, you'll want to use inputlookup or inputcsv instead of this method. If you establish a lookup table named mylookup.csv with columns src_ip and src_ip_nickname

| join type=left src_ip [|inputcsv mylookup.csv]
| table _time src_ip src_ip_nickname src_port
| timechart count(src_port) by src_ip_nickname

For the curious, this code generates some test data for the above code...

| gentimes start="01/25/2017:23:00:00" end="01/27/2017:01:00:00" increment=23m 
| streamstats count as baseEvent | eval series="CIDR1"
| append[| gentimes start="01/26/2017:03:00:00" end="01/26/2017:21:00:00" increment=47m | streamstats count as baseEvent | eval series="CIDR2"]
| append[| gentimes start="01/26/2017:01:17:00" end="01/26/2017:23:18:00" increment=21m | streamstats count as baseEvent | eval series="CIDR3"]
| eval rand1 = random()
| eval adder1 = tonumber(substr(tostring(rand1),1,4))
| eval adder2 = tonumber(substr(tostring(rand1),max(len(rand1)-4,3),4))
| eval sometimes=mvappend(tostring(starttime),tostring(starttime+adder1),tostring(starttime+adder2))
| mvexpand sometimes 
| eval _time=sometimes 
| eval rand2 = random() 
| eval value=substr(rand2,len(rand2)-2,2)
| eval rand3 = random()
| eval src_port= case(rand3>1800000000,"foo11",rand3>1200000000,"foo12",rand3>600000000,"foo13",true(),"foo14")
| rename series as src_ip
| table _time src_ip src_port
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...