Splunk Search

How to top sbimb and top sbomb for each src_ip?

LarrySplunking
Explorer

I have a report

index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip
| search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10)
| sort -sbomb

Tried top but can only get one or the other and I need to pass dest,totalsbomb and totalsbimb with the top event. 

I keep finding ways to get one but not the other. I am tring to get a table with src_ip, dest, sbimb(for dest) sbomb (for dest) totalsbomb and totalsbimb for src_ip . 
query takes too long to run twice with append. 

Labels (2)
0 Karma
1 Solution

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to describe what you are trying to get, maybe some mockup.  What is the output of

| top sbimb sbomb by src_ip

and how does it differ from your expected output?

0 Karma

LarrySplunking
Explorer

I get when I add |top limit=2 sbimb sbomb dest by src_ip  - they are not the top, tried without dest but same

LarrySplunking_3-1674136599780.png

if I sort by sbomb I see event I want, same with sbomb I see the sbomb event greatest for src_IP

LarrySplunking_4-1674139676060.png

 

I want out bound per IP with top inbound per IP with top

LarrySplunking_2-1674136484715.png

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you want top 2 by src_ip, the command to use is

|top 2 sbimb sbomb dest by src_ip

Can you show the result? limit=2 is to limit total output to two  rows.

I vaguely get what you wanted from the last screen; I assume that's a mockup, is this correct?  When you post output from the above command, could you elaborate the difference between output and your mockup more?

LarrySplunking
Explorer

i get top 2 sbimb, I want top sbimb and sbomb per src_ip. It is working with stats.  thanks

 

0 Karma

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...