Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Making sense of stats results for 1 source to multiple destination

neerajs_81
Builder
‎07-13-2022 11:23 PM

Hi All, 
I have this simple search that shows logins from same SRC IP  to multiple Destination hosts.  Can someone pls explain why does dc(dest_ip) not match the # of values reported by values(dest) in the Results ?  You will notice in the results, that if values(dest) shows 2 hostnames then dc(dest) shows 4 .

Should't it be  that if dc(dest_ip) shows 4  then values(dest) should also report 4 unique host names?  What am i missing ?   Thanks

 

index=xxx source="WinEventLog:Security" EventCode=5140 
| stats  dc(dest_ip) as dest_count values(dest) values(Account_Name) values(user_first) values(user_last)by Source_Address
| rename values(*) as *

 

 

Results: 

Source_Addressdest_countdestAccount_nameuser_firstuser_last
10.x.x.114server01@domain.com
server02@domain.com		xxxxxxxxxx
10.x.x.124server01@domain.com
server02@domain.com		xxxxxxxx
10.x.x.132server03@domain.comxxxxxxx
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 11:49 PM

Hi @neerajs_81,

probably there's some dest that has more ips or some dest_ip haven't a dest.

try to add a new component for debugging:

index=xxx source="WinEventLog:Security" EventCode=5140 
| stats  dc(dest_ip) as dest_count values(dest_ip) as dest_ip_count values(dest) values(Account_Name) values(user_first) values(user_last)by Source_Address
| rename values(*) as *

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-13-2022 11:49 PM

Hi @neerajs_81,

probably there's some dest that has more ips or some dest_ip haven't a dest.

try to add a new component for debugging:

index=xxx source="WinEventLog:Security" EventCode=5140 
| stats  dc(dest_ip) as dest_count values(dest_ip) as dest_ip_count values(dest) values(Account_Name) values(user_first) values(user_last)by Source_Address
| rename values(*) as *

Ciao.

Giuseppe

Reply
Solved! Jump to solution

neerajs_81
Builder
‎07-13-2022 11:52 PM

Thanks. When you say some dest_IP don't have a dest meaning is it a case of  DNS entries missing for those IPs ?

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-14-2022 12:01 AM

Hi @neerajs_81,

yes exactly, with the add-on to the search I hinted, you can see the values of dest_ip and the values of dest, so you can compare them.

You can also run a search with dest_ip=* and see if the dest field has 100% of results.

If you don't want to have an empty value for some dest, you could add to your search (before the stats command) a fillnull command:

| fillnull value="-" dest

 Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

neerajs_81
Builder
‎07-14-2022 12:03 AM

Yep makes sense . Thank you as always.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...