Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use where clause usage with log files.?

SanthoshSreshta
Contributor
‎07-07-2015 06:40 AM

Hi

Can anyone help me in getting the below requirement
I have SRC_IP,DST_IP in my log files. I am writing the query as 

source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" | stats values(dst_ip) where src_ip="192.168.1.115"

the corresponding dst_ip should be displayed for the where condition kept on src_ip. please help me out in getting this.

Thanks,
Santhosh

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 07:10 AM

You need to switch it around like this:

 source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow"  | where src_ip="192.168.1.115"| stats values(dst_ip)

Or better yet, skip it like this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" src_ip="192.168.1.115"| stats values(dst_ip)

Or maybe this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" | stats values(dst_ip) by src_ip | where src_ip="192.168.1.115"

View solution in original post

Reply
Solved! Jump to solution

bwooden
Splunk Employee
Splunk Employee
‎07-07-2015 07:20 AM

There are a few things to consider here.

Generically, the where command leverages the same functions as eval. It happens that in your example, you could use a search command or the where command. When this is the case, the search will be more performant if that condition is moved to the base search, like this:

 source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow"  src_ip="192.168.1.115" | stats values(dst_ip)

I think the difficulty you're having though is that when the transforming stats command is invoked, you're lose the src_ip field -- that is to say when you do a stats showing only the values of dst_ip, the result set will only have the dst_ip field available to any commands further down the pipeline. So to keep your same search, you would need to do a bit more work to keep src_ip in the results coming from stats (you could then use the table or fields command to remove that field from the result set).

In this specific case, the above search will be faster.

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-07-2015 07:10 AM

You need to switch it around like this:

 source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow"  | where src_ip="192.168.1.115"| stats values(dst_ip)

Or better yet, skip it like this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" src_ip="192.168.1.115"| stats values(dst_ip)

Or maybe this:

     source="E:\\SPLUNK\\FIREWALL\\*" status = "Allow" | stats values(dst_ip) by src_ip | where src_ip="192.168.1.115"
Reply
Solved! Jump to solution

solarboyz1
Builder
‎07-07-2015 06:50 AM

If you are only looking for the dst_ip from a single src_ip, limit your results to that src_ip and then stats:

source="E:\SPLUNK\FIREWALL\*" status = "Allow" src_ip="192.168.1.115" | stats values(dst_ip)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
Top