Splunk Search

Iteration Function Syntax

Contributor

v4.3.1 linux
how do you create a search that mimics iteration like in bash
for i in ls /root ;do ls -al $i > out.txt ;done

as example:
for error_code in [search index=cisco_firewall | top error_code limit=5] --> search index=cisco_firewall error_code=$error_code$ | top src limit=10

so, for each of the top 5 error_code i want the top 10 IP's associated with each error_code

then if possible, the count(error_code) by IP for each uniq error_code

Tags (2)
0 Karma
1 Solution

Ultra Champion

This should work,

index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src

The following link will explain in more detail.

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

/Kristian

View solution in original post

Ultra Champion

This should work,

index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src

The following link will explain in more detail.

http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork

/Kristian

View solution in original post

Contributor

ok, i get a weird output. i am expecting 50 lines in my table, but it only shows 28 and only 3 of the top 5 error codes. my table display is 50 per page. let me run some tests.

ok, ran some tests, found why. there's an extraction issue for some events with specific event codes. as example: %ASA-5-304001 does not follow the same log format as say %ASA-4-106021 or %ASA-4-106023. could be a daunting task to find all of the problem codes and fix the extraction for each, but maybe not so bad for say top 10 or 20 error codes, etc.

0 Karma

Legend

index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src by error_code

IF you add the "by error_code" at the end, does this do it?

0 Karma

Contributor

nah, this doesnt work the way i need. this only gives table of the top 10 src for the top 5 error codes. i need the table to show top 10 src per each of the top 5 error codes. so the output table will have 50 IP's, 10 per error_code, etc.

and to add more complexity, would like a "count(src) by error_code" next to each of the IP's (this will indicate how many times this IP caused the event with this error code).

0 Karma