Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to rename the legend IP to a CIDR nickname in the resulting bar chart?

loudainmarc
Explorer
‎03-02-2017 06:19 PM

my search:

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* | timechart count(src_port) by src_ip

now, the resulting bar graph is good but the legend shows the specific IP, but i want to replace that specific IP (in the legend) with a nickname of the CIDR which it came from...how?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-03-2017 07:33 AM

Try like this

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* 
| eval src_ip=case(cidrmatch("CIDR1",src_ip),"CIDR1",cidrmatch("CIDR2",src_ip),"CIDR2",1=1,"CIDR3")  
| timechart count(src_port) by src_ip

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎03-03-2017 07:33 AM

Try like this

src_ip=CIDR1 OR src_ip=CIDR2 OR src_ip=CIDR3 dest_ip=* 
| eval src_ip=case(cidrmatch("CIDR1",src_ip),"CIDR1",cidrmatch("CIDR2",src_ip),"CIDR2",1=1,"CIDR3")  
| timechart count(src_port) by src_ip
0 Karma
Reply
Solved! Jump to solution

loudainmarc
Explorer
‎03-05-2017 11:41 AM

thanks for the assist team, works great

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-03-2017 07:21 AM

Here's one way, if your src_ips and nicknames are relatively static, you can put them inline in the search using this method...

| join type=left src_ip [|makeresults | eval mylookup="CIDR1,My CIDR1 nickname!!!!CIDR2,My CIDR2 nickname!!!!CIDR3,My CIDR3 nickname" | makemv delim="!!!!" mylookup | mvexpand mylookup |makemv delim="," mylookup | eval src_ip=mvindex(mylookup,0),src_ip_nickname=mvindex(mylookup,1)| table src_ip src_ip_nickname]
| table _time src_ip src_ip_nickname src_port
| timechart count(src_port) by src_ip_nickname

The format for each individual lookup is... 

src_ip[comma]nickname with spaces allowed[four exclamation points]

For a larger set of IPs, you'll want to use inputlookup or inputcsv instead of this method. If you establish a lookup table named mylookup.csv with columns src_ip and src_ip_nickname

| join type=left src_ip [|inputcsv mylookup.csv]
| table _time src_ip src_ip_nickname src_port
| timechart count(src_port) by src_ip_nickname

For the curious, this code generates some test data for the above code...

| gentimes start="01/25/2017:23:00:00" end="01/27/2017:01:00:00" increment=23m 
| streamstats count as baseEvent | eval series="CIDR1"
| append[| gentimes start="01/26/2017:03:00:00" end="01/26/2017:21:00:00" increment=47m | streamstats count as baseEvent | eval series="CIDR2"]
| append[| gentimes start="01/26/2017:01:17:00" end="01/26/2017:23:18:00" increment=21m | streamstats count as baseEvent | eval series="CIDR3"]
| eval rand1 = random()
| eval adder1 = tonumber(substr(tostring(rand1),1,4))
| eval adder2 = tonumber(substr(tostring(rand1),max(len(rand1)-4,3),4))
| eval sometimes=mvappend(tostring(starttime),tostring(starttime+adder1),tostring(starttime+adder2))
| mvexpand sometimes 
| eval _time=sometimes 
| eval rand2 = random() 
| eval value=substr(rand2,len(rand2)-2,2)
| eval rand3 = random()
| eval src_port= case(rand3>1800000000,"foo11",rand3>1200000000,"foo12",rand3>600000000,"foo13",true(),"foo14")
| rename series as src_ip
| table _time src_ip src_port
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...