Splunk Search

Syntax for 'top x entries per y'

timbCFCA
Path Finder

I am trying to find the top 5 UrlDestHosts per IP address for the top 25 ip addresses. I have a search which returns the raw information required:

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | stats count by c_ip, UrlDestHost | stats list(UrlDestHost) list(count) by c_ip

How do I add top parameters, say the top X c_ip entries (based on count) and the top Y UrlDestHosts (based on the count per value of X)?

Tags (2)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

I think you might have to resort to a subsearch for this (indented for readability);

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" 
[search source="windows_snare_foreweb" cs_network="Internal" action="Allowed" 
  | top 25 c_ip 
  | fields + c_ip
] 
| top 5 UrlDestHost by c_ip

The subsearch will just find (and return) the 25 most common c_ip, which are added to the outer search (as c_ip1 OR c_ip2 OR c_ip3 ...). The result is then piped to top.

Hope this helps,

Kristian

View solution in original post

maniishpawar
Path Finder

index=* sourcetype=iis | top 1 _raw by index

0 Karma

kristian_kolb
Ultra Champion

I think you might have to resort to a subsearch for this (indented for readability);

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" 
[search source="windows_snare_foreweb" cs_network="Internal" action="Allowed" 
  | top 25 c_ip 
  | fields + c_ip
] 
| top 5 UrlDestHost by c_ip

The subsearch will just find (and return) the 25 most common c_ip, which are added to the outer search (as c_ip1 OR c_ip2 OR c_ip3 ...). The result is then piped to top.

Hope this helps,

Kristian

View solution in original post

Runals
Motivator

I think the quickest way to answer the first part of your question is:

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top limit=5 UrlDestHost by c_ip

You can change the limit parameter to be whatever you want; default is 10 if you remove it from the search. One of the fields returned will be percent which will probably play with your mind a bit or anyone you might show the results to so I would get rid of it. It probably also makes sense to group by c_ip. I'd probably format the query like this:

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top limit=5 UrlDestHost by c_ip | sort c_ip, -count | fields - percent

This will sort the IPs in ascending order, the counts in descending order, and remove the percent fields. Otherwise you could leave the query as is and use a combination of sort and head to get top results. You are also using list(). In this or other use cases use cases you might try values() which will dedup and order the results.

I can't quite tell if below your code snippet if you are asking a variation of your first question. At any rate I hope some of this helps.

0 Karma

melting
Splunk Employee
Splunk Employee

You want to use the top search command in place of the first stats command. Top does the count similarly to stats (also percentage)

... | top 5 UrlDestHost by c_ip | ...

All together it looks like

source="windows_snare_foreweb" cs_network="Internal" action="Allowed" | top UrlDestHost by c_ip | stats list(UrlDestHost) list(count) by c_ip
0 Karma

melting
Splunk Employee
Splunk Employee

Top is just counting events. It can count them in categories using the "by" indication.

Perhaps you can give an example of what your output would look like?

0 Karma

timbCFCA
Path Finder

This is close but it only limits on the Y value. For example I'm only interested in the top c_ip entries (those with the highest count of events).

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!