- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Sub Search to Get all Apps and then provide a tabl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sub Search to Get all Apps and then provide a table with each app showing the fields specified
index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0| stats count by src_ip,src_location,dst_ip, dst_port |lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1| lookup dnslookup clientip AS dst_ip outputnew clienthost as destinationhost
Below is what I tried to do to do a subsearch, which should first search for all apps with bytes sent or received more than 0. After that, it's suppose to show each app along with the fields specified in a table.
index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this and let us know what issue you faced with this
index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app | fields app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get the following fields:
app count percent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What fields and count your get after executing this?
index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That didn't work. It came back saying there were no results for this event, which isn't true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The top command add some extra fields like count and percent, which may not be available in your logs and it (should be) returns 0 records. After top command add "| fields app".
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
