Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sub Search to Get all Apps and then provide a table with each app showing the fields specified

jaywilwk
Engager
‎02-10-2014 12:59 PM

index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0| stats count by src_ip,src_location,dst_ip, dst_port |lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1| lookup dnslookup clientip AS dst_ip outputnew clienthost as destinationhost

Below is what I tried to do to do a subsearch, which should first search for all apps with bytes sent or received more than 0. After that, it's suppose to show each app along with the fields specified in a table.

index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost

0 Karma
Reply

somesoni2
Revered Legend
‎02-11-2014 11:40 AM

Try this and let us know what issue you faced with this

index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app | fields app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost
0 Karma
Reply

jaywilwk
Engager
‎02-11-2014 11:22 AM

I get the following fields:
app count percent

0 Karma
Reply

somesoni2
Revered Legend
‎02-10-2014 01:31 PM

What fields and count your get after executing this?

index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app

0 Karma
Reply

jaywilwk
Engager
‎02-10-2014 01:21 PM

That didn't work. It came back saying there were no results for this event, which isn't true.

0 Karma
Reply

somesoni2
Revered Legend
‎02-10-2014 01:16 PM

The top command add some extra fields like count and percent, which may not be available in your logs and it (should be) returns 0 records. After top command add "| fields app".

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...