Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use where clause usage with log files.?

SanthoshSreshta
Contributor
‎07-07-2015 06:40 AM

Hi

Can anyone help me in getting the below requirement
I have SRC_IP,DST_IP in my log files. I am writing the query as 

source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" | stats values(dst_ip) where src_ip="192.168.1.115"

the corresponding dst_ip should be displayed for the where condition kept on src_ip. please help me out in getting this.

Thanks,
Santhosh

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 07:10 AM

You need to switch it around like this:

 source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow"  | where src_ip="192.168.1.115"| stats values(dst_ip)

Or better yet, skip it like this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" src_ip="192.168.1.115"| stats values(dst_ip)

Or maybe this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" | stats values(dst_ip) by src_ip | where src_ip="192.168.1.115"

View solution in original post

Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎07-07-2015 07:20 AM

There are a few things to consider here.

Generically, the where command leverages the same functions as eval. It happens that in your example, you could use a search command or the where command. When this is the case, the search will be more performant if that condition is moved to the base search, like this:

 source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow"  src_ip="192.168.1.115" | stats values(dst_ip)

I think the difficulty you're having though is that when the transforming stats command is invoked, you're lose the src_ip field -- that is to say when you do a stats showing only the values of dst_ip, the result set will only have the dst_ip field available to any commands further down the pipeline. So to keep your same search, you would need to do a bit more work to keep src_ip in the results coming from stats (you could then use the table or fields command to remove that field from the result set).

In this specific case, the above search will be faster.

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 07:10 AM

You need to switch it around like this:

 source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow"  | where src_ip="192.168.1.115"| stats values(dst_ip)

Or better yet, skip it like this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" src_ip="192.168.1.115"| stats values(dst_ip)

Or maybe this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" | stats values(dst_ip) by src_ip | where src_ip="192.168.1.115"
Reply
Solved! Jump to solution

solarboyz1
Builder
‎07-07-2015 06:50 AM

If you are only looking for the dst_ip from a single src_ip, limit your results to that src_ip and then stats:

source="E:\SPLUNK\FIREWALL\*" status = "Allow" src_ip="192.168.1.115" | stats values(dst_ip)

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...