- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Iteration Function Syntax
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
v4.3.1 linux
how do you create a search that mimics iteration like in bash
for i in ls /root ;do ls -al $i > out.txt ;done
as example:
for error_code in [search index=cisco_firewall | top error_code limit=5] --> search index=cisco_firewall error_code=$error_code$ | top src limit=10
so, for each of the top 5 error_code i want the top 10 IP's associated with each error_code
then if possible, the count(error_code) by IP for each uniq error_code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work,
index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src
The following link will explain in more detail.
http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This should work,
index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src
The following link will explain in more detail.
http://docs.splunk.com/Documentation/Splunk/latest/User/HowSubsearchesWork
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, i get a weird output. i am expecting 50 lines in my table, but it only shows 28 and only 3 of the top 5 error codes. my table display is 50 per page. let me run some tests.
ok, ran some tests, found why. there's an extraction issue for some events with specific event codes. as example: %ASA-5-304001 does not follow the same log format as say %ASA-4-106021 or %ASA-4-106023. could be a daunting task to find all of the problem codes and fix the extraction for each, but maybe not so bad for say top 10 or 20 error codes, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=cisco_firewall [search index=cisco_firewall | top 5 error_code| fields + error_code] | top 10 src by error_code
IF you add the "by error_code" at the end, does this do it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nah, this doesnt work the way i need. this only gives table of the top 10 src for the top 5 error codes. i need the table to show top 10 src per each of the top 5 error codes. so the output table will have 50 IP's, 10 per error_code, etc.
and to add more complexity, would like a "count(src) by error_code" next to each of the IP's (this will indicate how many times this IP caused the event with this error code).
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
