Missing original value after using distinct query

michaelhoang · ‎07-21-2019

Hi,
I am having the following issue that need your help.
The scenario is: I am working on the report of firewall data in Splunk. The requirement is getting the distinct destination connected by source address. The table should contain: Source Address, Destination Address and Distinct count the number of Destination address connected by Source.
I am trying to use the dc query to get the distinct count for destination address but when doing table, i only can get source and distinct count number but the destination address value is missing.
Here is the query that I am using:

sourcetype="aws:cloudwatchlogs:vpcflow"
| dedup src dest | stats dc(dest) as
Count by src | table src dest Count |
sort src

Below is the output of the query:

Please help to suggest what query should I use to retain the destination address value.
Thanks,
Michael

renjith_nair · ‎07-21-2019

@michaelhoang ,

Try

sourcetype="aws:cloudwatchlogs:vpcflow"
| stats dc(dest) as Count,values(dest) as dest by src

OR

    sourcetype="aws:cloudwatchlogs:vpcflow"
    | stats dc(dest) as Count  by src,dest|eventstats sum(Count) as Count by src

Happy Splunking!

Missing original value after using distinct query

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control

Data Preparation Made Easy: SPL2 for Edge Processor