Splunk Search

How to top sbimb and top sbomb for each src_ip?

LarrySplunking
Explorer

I have a report

index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip
| search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10)
| sort -sbomb

Tried top but can only get one or the other and I need to pass dest,totalsbomb and totalsbimb with the top event. 

I keep finding ways to get one but not the other. I am tring to get a table with src_ip, dest, sbimb(for dest) sbomb (for dest) totalsbomb and totalsbimb for src_ip . 
query takes too long to run twice with append. 

Labels (2)
0 Karma
1 Solution

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to describe what you are trying to get, maybe some mockup.  What is the output of

| top sbimb sbomb by src_ip

and how does it differ from your expected output?

0 Karma

LarrySplunking
Explorer

I get when I add |top limit=2 sbimb sbomb dest by src_ip  - they are not the top, tried without dest but same

LarrySplunking_3-1674136599780.png

if I sort by sbomb I see event I want, same with sbomb I see the sbomb event greatest for src_IP

LarrySplunking_4-1674139676060.png

 

I want out bound per IP with top inbound per IP with top

LarrySplunking_2-1674136484715.png

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you want top 2 by src_ip, the command to use is

|top 2 sbimb sbomb dest by src_ip

Can you show the result? limit=2 is to limit total output to two  rows.

I vaguely get what you wanted from the last screen; I assume that's a mockup, is this correct?  When you post output from the above command, could you elaborate the difference between output and your mockup more?

LarrySplunking
Explorer

i get top 2 sbimb, I want top sbimb and sbomb per src_ip. It is working with stats.  thanks

 

0 Karma

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...