Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Making sense of stats results for 1 source to multiple destination

neerajs_81
Builder
‎07-13-2022 11:23 PM

Hi All, 
I have this simple search that shows logins from same SRC IP  to multiple Destination hosts.  Can someone pls explain why does dc(dest_ip) not match the # of values reported by values(dest) in the Results ?  You will notice in the results, that if values(dest) shows 2 hostnames then dc(dest) shows 4 .

Should't it be  that if dc(dest_ip) shows 4  then values(dest) should also report 4 unique host names?  What am i missing ?   Thanks

 

index=xxx source="WinEventLog:Security" EventCode=5140 
| stats  dc(dest_ip) as dest_count values(dest) values(Account_Name) values(user_first) values(user_last)by Source_Address
| rename values(*) as *

 

 

Results: 

Source_Addressdest_countdestAccount_nameuser_firstuser_last
10.x.x.114server01@domain.com
server02@domain.com		xxxxxxxxxx
10.x.x.124server01@domain.com
server02@domain.com		xxxxxxxx
10.x.x.132server03@domain.comxxxxxxx
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 11:49 PM

Hi @neerajs_81,

probably there's some dest that has more ips or some dest_ip haven't a dest.

try to add a new component for debugging:

index=xxx source="WinEventLog:Security" EventCode=5140 
| stats  dc(dest_ip) as dest_count values(dest_ip) as dest_ip_count values(dest) values(Account_Name) values(user_first) values(user_last)by Source_Address
| rename values(*) as *

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 11:49 PM

Hi @neerajs_81,

probably there's some dest that has more ips or some dest_ip haven't a dest.

try to add a new component for debugging:

index=xxx source="WinEventLog:Security" EventCode=5140 
| stats  dc(dest_ip) as dest_count values(dest_ip) as dest_ip_count values(dest) values(Account_Name) values(user_first) values(user_last)by Source_Address
| rename values(*) as *

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎07-13-2022 11:52 PM

Thanks. When you say some dest_IP don't have a dest meaning is it a case of  DNS entries missing for those IPs ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-14-2022 12:01 AM

Hi @neerajs_81,

yes exactly, with the add-on to the search I hinted, you can see the values of dest_ip and the values of dest, so you can compare them.

You can also run a search with dest_ip=* and see if the dest field has 100% of results.

If you don't want to have an empty value for some dest, you could add to your search (before the stats command) a fillnull command:

| fillnull value="-" dest

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

neerajs_81
Builder
‎07-14-2022 12:03 AM

Yep makes sense . Thank you as always.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...