Splunk Search

How to top sbimb and top sbomb for each src_ip?

LarrySplunking
Explorer

I have a report

index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip
| search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10)
| sort -sbomb

Tried top but can only get one or the other and I need to pass dest,totalsbomb and totalsbimb with the top event. 

I keep finding ways to get one but not the other. I am tring to get a table with src_ip, dest, sbimb(for dest) sbomb (for dest) totalsbomb and totalsbimb for src_ip . 
query takes too long to run twice with append. 

Labels (2)
0 Karma
1 Solution

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to describe what you are trying to get, maybe some mockup.  What is the output of

| top sbimb sbomb by src_ip

and how does it differ from your expected output?

0 Karma

LarrySplunking
Explorer

I get when I add |top limit=2 sbimb sbomb dest by src_ip  - they are not the top, tried without dest but same

LarrySplunking_3-1674136599780.png

if I sort by sbomb I see event I want, same with sbomb I see the sbomb event greatest for src_IP

LarrySplunking_4-1674139676060.png

 

I want out bound per IP with top inbound per IP with top

LarrySplunking_2-1674136484715.png

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you want top 2 by src_ip, the command to use is

|top 2 sbimb sbomb dest by src_ip

Can you show the result? limit=2 is to limit total output to two  rows.

I vaguely get what you wanted from the last screen; I assume that's a mockup, is this correct?  When you post output from the above command, could you elaborate the difference between output and your mockup more?

LarrySplunking
Explorer

i get top 2 sbimb, I want top sbimb and sbomb per src_ip. It is working with stats.  thanks

 

0 Karma

LarrySplunking
Explorer

did with stats max(field) by src_ip,dest and values for other fields

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...