Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to top sbimb and top sbomb for each src_ip?

LarrySplunking
Explorer
‎01-18-2023 07:39 AM

I have a report

index IN (proxy) src_ip=* |eventstats sum(sbimb) as Totalsbimb, sum(sbomb) as Totalsbomb by src_ip
| search (sbimb > 300) OR (sbomb > 20) OR (Totalsbimb > 500) OR (Totalsbomb > 10)
| sort -sbomb

Tried top but can only get one or the other and I need to pass dest,totalsbomb and totalsbimb with the top event. 

I keep finding ways to get one but not the other. I am tring to get a table with src_ip, dest, sbimb(for dest) sbomb (for dest) totalsbomb and totalsbimb for src_ip . 
query takes too long to run twice with append. 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LarrySplunking
Explorer
‎01-19-2023 09:17 AM

did with stats max(field) by src_ip,dest and values for other fields

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎01-18-2023 05:48 PM

You need to describe what you are trying to get, maybe some mockup.  What is the output of

| top sbimb sbomb by src_ip

and how does it differ from your expected output?

0 Karma
Reply
Solved! Jump to solution

LarrySplunking
Explorer
‎01-19-2023 06:49 AM

I get when I add |top limit=2 sbimb sbomb dest by src_ip  - they are not the top, tried without dest but same

LarrySplunking_3-1674136599780.png

if I sort by sbomb I see event I want, same with sbomb I see the sbomb event greatest for src_IP

LarrySplunking_4-1674139676060.png

 

I want out bound per IP with top inbound per IP with top

LarrySplunking_2-1674136484715.png

 

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎01-19-2023 11:46 AM

If you want top 2 by src_ip, the command to use is

|top 2 sbimb sbomb dest by src_ip

Can you show the result? limit=2 is to limit total output to two  rows.

I vaguely get what you wanted from the last screen; I assume that's a mockup, is this correct?  When you post output from the above command, could you elaborate the difference between output and your mockup more?

Reply
Solved! Jump to solution

LarrySplunking
Explorer
‎01-19-2023 12:08 PM

i get top 2 sbimb, I want top sbimb and sbomb per src_ip. It is working with stats.  thanks

 

0 Karma
Reply
Solved! Jump to solution
Solution

LarrySplunking
Explorer
‎01-19-2023 09:17 AM

did with stats max(field) by src_ip,dest and values for other fields

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...