Trouble displaying multiple stats

stakor · ‎05-21-2017

I am doing a search on our firewall. I am looking to see who is making the most requests on different ports, and also list the total number of requests. I am also interested in what country they are coming from.

I am having trouble with formating the output to show all that I am looking for.

<Basic_Search> | stats dc(dest_port) by src_ip

Returns the number of distince ports that are being hit by each source IP.

<Basic_Search> | stats count by src_ip
| iplocation src_ip
| sort limit=5 -count

Returns the IPs sending the most traffic, where they are.

But, if I try to output a table with something like:

<Basic_Search>
| stats dc(dest_port) by src_ip
| stats count by src_ip
| iplocation src_ip
| sort limit=5 -count

The dc for destination port disappears. (Or is not passed.)

Any ideas on how to get a list of the top X IP's by volume, and also have the IP Location and number of different ports listed?

DalJeanis · ‎05-22-2017

You can have multiple aggregate verbs in a single stats command...

 <Basic_Search>
 | stats count as theCount, dc(dest_port) as thePorts by src_ip
 | iplocation src_ip
 | sort limit=5 - theCount

cmerriman · ‎05-21-2017

Your second stats command basically erases the first. You need to carry over the values from each stats command you do to keep the values. Try something like this:

<Basic_Search>
 | eventstats dc(dest_port) as dcDestPort by src_ip
 | stats max(dcDestPort) as destPorts count by src_ip
 | iplocation src_ip
 | sort limit=5 -count

Trouble displaying multiple stats

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?