Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get top 20 with 2 conditions?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to get top 20 with 2 conditions?
langtuphidao
New Member
12-22-2022
04:00 AM
I have some log, and i want get top 20 with 2 conditions:
I user: index="fortinet" |top srcip srcname
but in chart don't show srcname.
Please help me.
Dec 22 18:55:00 192.168.100.99 date=2022-12-22 time=18:54:56 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710096306112037 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.114 srcname="DESKTOP-KOTPUP7" srcport=50113 srcintf="LAN2-6" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640983 proto=17 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="DNS" trandisp="snat" transip=117.2.159.103 transport=50113 appid=16195 app="DNS" appcat="Network.Service" apprisk="elevated" applist="default" duration=180 sentbyte=76 rcvdbyte=141 sentpkt=1 rcvdpkt=1 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:71:41:ee" srcmac="00:0c:29:71:41:ee" srcserver=0
Dec 22 18:54:59 192.168.100.99 date=2022-12-22 time=18:54:55 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710095776077392 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49177 srcintf="lan" srcintfrole="lan" dstip=172.64.138.25 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641377 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49177 duration=101 sentbyte=1295 rcvdbyte=2390 sentpkt=8 rcvdpkt=7 appcat="unscanned" wanin=2098 wanout=871 lanin=871 lanout=871 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0
Dec 22 18:54:58 192.168.100.99 date=2022-12-22 time=18:54:54 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710094938835145 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.101.110 srcname="DESKTOP-ANV" srcport=60294 srcintf="LAN2-6" srcintfrole="lan" dstip=20.198.119.143 dstport=443 dstintf="wan1" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="India" sessionid=22992698 proto=6 action="accept" policyid=12 policytype="policy" poluuid="0edafcf4-6f37-51eb-c7b5-87e7b9759041" policyname="ChoPhepTruycapInternetWAN1" service="HTTPS" trandisp="snat" transip=117.2.159.103 transport=60294 appcat="unknown" applist="default" duration=100324 sentbyte=309709 rcvdbyte=429373 sentpkt=3357 rcvdpkt=3357 shapingpolicyid=1 shapingpolicyname="TangTocDoTaiVPN" shapersentname="high-priority" shaperdropsentbyte=0 shaperrcvdname="high-priority" shaperdroprcvdbyte=0 sentdelta=370 rcvddelta=510 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:1e:9b:90" srcmac="00:0c:29:1e:9b:90" srcserver=0
Dec 22 18:54:56 192.168.100.99 date=2022-12-22 time=18:54:52 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710092246081148 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.12 srcname="DESKTOP-NTNP36A" srcport=49182 srcintf="lan" srcintfrole="lan" dstip=117.18.232.240 dstport=80 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23641463 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTP" trandisp="snat" transip=14.167.188.236 transport=49182 duration=77 sentbyte=659 rcvdbyte=462 sentpkt=7 rcvdpkt=4 appcat="unscanned" wanin=290 wanout=287 lanin=287 lanout=287 utmaction="allow" countweb=1 srchwvendor="Samsung" devtype="Phone" srcfamily="Nexus" osname="Android" srchwversion="5X" srcswversion="6.0.1" mastersrcmac="00:0c:29:a6:9b:18" srcmac="00:0c:29:a6:9b:18" srcserver=0
Dec 22 18:54:49 192.168.100.99 date=2022-12-22 time=18:54:45 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710085749980099 tz="+0700" logid="0000000020" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=49835 srcintf="lan" srcintfrole="lan" dstip=40.83.240.146 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23151816 proto=6 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=49835 duration=69719 sentbyte=19123 rcvdbyte=27448 sentpkt=189 rcvdpkt=189 appcat="unscanned" sentdelta=180 rcvddelta=251 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0
Dec 22 18:54:44 192.168.100.99 date=2022-12-22 time=18:54:40 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710080306081096 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.30 srcname="DESKTOP-K5QNCSB" srcport=61196 srcintf="lan" srcintfrole="lan" dstip=13.35.166.100 dstport=443 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="Taiwan" sessionid=23641845 proto=6 action="close" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="HTTPS" trandisp="snat" transip=14.167.188.236 transport=61196 duration=1 sentbyte=1244 rcvdbyte=6581 sentpkt=11 rcvdpkt=11 appcat="unscanned" wanin=6129 wanout=664 lanin=664 lanout=664 utmaction="allow" countweb=1 srchwvendor="VMware" osname="Windows" srcswversion="10" mastersrcmac="00:0c:29:e8:c3:e9" srcmac="00:0c:29:e8:c3:e9" srcserver=0
Dec 22 18:54:37 192.168.100.99 date=2022-12-22 time=18:54:33 devname="Fortigate-AMM" devid="FG100ETK20013758" eventtime=1671710072616128264 tz="+0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=192.168.100.19 srcname="DQ" srcport=59337 srcintf="lan" srcintfrole="lan" dstip=8.8.8.8 dstport=53 dstintf="wan2" dstintfrole="wan" srcuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" dstuuid="174f53ea-ddaa-51ea-67da-a83baf0ea935" srccountry="Reserved" dstcountry="United States" sessionid=23640850 proto=17 action="accept" policyid=14 policytype="policy" poluuid="c0e7dfee-5fe1-51eb-6ce5-8eaca375eca9" policyname="ChoPhepTruycapInternetWAN2" service="DNS" trandisp="snat" transip=14.167.188.236 transport=59337 duration=180 sentbyte=73 rcvdbyte=175 sentpkt=1 rcvdpkt=1 appcat="unscanned" srchwvendor="VMware" srcfamily="Virtual Machine" osname="Windows" srchwversion="Workstation pro" srcswversion="10" mastersrcmac="00:0c:29:5f:d9:52" srcmac="00:0c:29:5f:d9:52" srcserver=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
12-22-2022
04:14 AM
Hi @langtuphidao,
this happens because in the chart you can use one field as x-axis, if you want to display both fields in x-axis, you have to merge them using eval, something like this:
index="fortinet"
| eval column=srcip." - ".srcname
| top columnCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
langtuphidao
New Member
12-22-2022
06:18 AM
sloved, thanks gcusello
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
12-22-2022
07:57 AM
Hi @langtuphidao,
good for you, see next time!
Please accept one answer for the other people of Community
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
Get Updates on the Splunk Community!
Index This | Why did the turkey cross the road?
November 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Feel the Splunk Love: Real Stories from Real Customers
Hello Splunk Community,
What’s the best part of hearing how our customers use Splunk? Easy: the positive ...
