Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Total count per rule, combined with count per rule...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaronnicoli
Path Finder
03-04-2013
03:21 PM
Hi all,
I am going to try and keep this as simple as I can and explain only what I am trying to achieve and what I have to work with...
Okay, so:
I have a search:
index=foo
Which provides data with the fields:
rule_name
dest_ip
dest_port
I want to display the following:
rule_name - count of times the rule occurs - dest_ip - dest_port - count of times "rule_name,dest_ip,dest_port" combination occurs.
Example data:
"foo-rule" "101.101.101.1" "8080"
"foo-rule" "101.101.101.1" "8080"
"foo-rule" "101.101.101.2" "8081"
"bar-rule" "101.101.101.5" "8080"
Example return:
foo-rule - 3 - 101.101.101.1 - 8080 - 2
foo-rule - 3 - 101.101.101.2 - 8081 - 1
bar-rule - 1 - 101.101.101.5 - 8080 - 1
Any ideas???
Thanks guys,
Very much appreciate your help.
Aaron.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-04-2013
03:50 PM
Probably something like :
... | eval ip_port=dest_ip.";".dest_port
| stats count as rule_ip_port_count by rule_name ip_port
| eventstats sum(rule_ip_port_count) as rule_count by rule_name
| rex field=ip_port (?<dest_ip>.*);(?<dest_port>.*)
| fields - ip_port
Edit - typo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-04-2013
03:50 PM
Probably something like :
... | eval ip_port=dest_ip.";".dest_port
| stats count as rule_ip_port_count by rule_name ip_port
| eventstats sum(rule_ip_port_count) as rule_count by rule_name
| rex field=ip_port (?<dest_ip>.*);(?<dest_port>.*)
| fields - ip_port
Edit - typo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jonuwz
Influencer
03-04-2013
04:32 PM
good spot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaronnicoli
Path Finder
03-04-2013
03:58 PM
Mate, your the best!
Exactly what I am after, only thing I had to correct was in your first line...
dest_ip.";"dest_port
Needed to become:
dest_ip.";".dest_port
I assumed the . was to concat.
Cheers again,
Aaron.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
