Splunk Search

How to top sbimb and top sbomb for each src_ip?

LarrySplunking
Explorer

I have a report

index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip
| search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10)
| sort -sbomb

Tried top but can only get one or the other and I need to pass dest,totalsbomb and totalsbimb with the top event. 

I keep finding ways to get one but not the other. I am tring to get a table with src_ip, dest, sbimb(for dest) sbomb (for dest) totalsbomb and totalsbimb for src_ip . 
query takes too long to run twice with append. 

Labels (2)
0 Karma
1 Solution

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to describe what you are trying to get, maybe some mockup.  What is the output of

| top sbimb sbomb by src_ip

and how does it differ from your expected output?

0 Karma

LarrySplunking
Explorer

I get when I add |top limit=2 sbimb sbomb dest by src_ip  - they are not the top, tried without dest but same

LarrySplunking_3-1674136599780.png

if I sort by sbomb I see event I want, same with sbomb I see the sbomb event greatest for src_IP

LarrySplunking_4-1674139676060.png

 

I want out bound per IP with top inbound per IP with top

LarrySplunking_2-1674136484715.png

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you want top 2 by src_ip, the command to use is

|top 2 sbimb sbomb dest by src_ip

Can you show the result? limit=2 is to limit total output to two  rows.

I vaguely get what you wanted from the last screen; I assume that's a mockup, is this correct?  When you post output from the above command, could you elaborate the difference between output and your mockup more?

LarrySplunking
Explorer

i get top 2 sbimb, I want top sbimb and sbomb per src_ip. It is working with stats.  thanks

 

0 Karma

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...