Splunk Search

Sub Search to Get all Apps and then provide a table with each app showing the fields specified

jaywilwk
Engager

index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0| stats count by src_ip,src_location,dst_ip, dst_port |lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1| lookup dnslookup clientip AS dst_ip outputnew clienthost as destinationhost

Below is what I tried to do to do a subsearch, which should first search for all apps with bytes sent or received more than 0. After that, it's suppose to show each app along with the fields specified in a table.

index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost

0 Karma

somesoni2
Revered Legend

Try this and let us know what issue you faced with this

index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app | fields app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost
0 Karma

jaywilwk
Engager

I get the following fields:
app count percent

0 Karma

somesoni2
Revered Legend

What fields and count your get after executing this?

index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app

0 Karma

jaywilwk
Engager

That didn't work. It came back saying there were no results for this event, which isn't true.

0 Karma

somesoni2
Revered Legend

The top command add some extra fields like count and percent, which may not be available in your logs and it (should be) returns 0 records. After top command add "| fields app".

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...