Missing original value after using distinct query

michaelhoang · ‎07-21-2019

Hi,
I am having the following issue that need your help.
The scenario is: I am working on the report of firewall data in Splunk. The requirement is getting the distinct destination connected by source address. The table should contain: Source Address, Destination Address and Distinct count the number of Destination address connected by Source.
I am trying to use the dc query to get the distinct count for destination address but when doing table, i only can get source and distinct count number but the destination address value is missing.
Here is the query that I am using:

sourcetype="aws:cloudwatchlogs:vpcflow"
| dedup src dest | stats dc(dest) as
Count by src | table src dest Count |
sort src

Below is the output of the query:

Please help to suggest what query should I use to retain the destination address value.
Thanks,
Michael

renjith_nair · ‎07-21-2019

@michaelhoang ,

Try

sourcetype="aws:cloudwatchlogs:vpcflow"
| stats dc(dest) as Count,values(dest) as dest by src

OR

    sourcetype="aws:cloudwatchlogs:vpcflow"
    | stats dc(dest) as Count  by src,dest|eventstats sum(Count) as Count by src

---
What goes around comes around. If it helps, hit it with Karma 🙂

Missing original value after using distinct query

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability