Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for ports by host

vumanhtai
Path Finder
‎12-01-2017 05:03 PM

Hi All!
What search commands can I use to get results like this?

alt text

Tags (1)
Preview file
4 KB
Reply

woodcock
Esteemed Legend
‎12-02-2017 12:20 PM

Like this:

... | stats first(status) BY host port
| stats list(port) AS port list(status) AS status BY host
0 Karma
Reply

niketn
Legend
‎12-02-2017 03:28 AM

@vumanhtai, multiple ips can be connecting to same port. So ideally you should have the result other way around

 <YourBaseSearch>
| eval port_status=port." - ".status
| stats values(port_status) as port_status by host
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

493669
Super Champion
‎12-01-2017 11:56 PM 
...|stats list(port) as port, list(status) as status by host

OR

...|stats values(port) as port, values(status) as status by host

You can try this...
list() does not dedup while values() will dedup

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...