Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trouble displaying multiple stats

stakor
Path Finder
‎05-21-2017 08:54 AM

I am doing a search on our firewall. I am looking to see who is making the most requests on different ports, and also list the total number of requests. I am also interested in what country they are coming from.

I am having trouble with formating the output to show all that I am looking for. 

<Basic_Search> | stats dc(dest_port) by src_ip

Returns the number of distince ports that are being hit by each source IP.

<Basic_Search> | stats count by src_ip
| iplocation src_ip
| sort limit=5 -count

Returns the IPs sending the most traffic, where they are.

But, if I try to output a table with something like:

<Basic_Search>
| stats dc(dest_port) by src_ip
| stats count by src_ip
| iplocation src_ip
| sort limit=5 -count

The dc for destination port disappears. (Or is not passed.)

Any ideas on how to get a list of the top X IP's by volume, and also have the IP Location and number of different ports listed?

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎05-22-2017 09:34 AM

You can have multiple aggregate verbs in a single stats command...

 <Basic_Search>
 | stats count as theCount, dc(dest_port) as thePorts by src_ip
 | iplocation src_ip
 | sort limit=5 - theCount
0 Karma
Reply

cmerriman
Super Champion
‎05-21-2017 09:58 AM

Your second stats command basically erases the first. You need to carry over the values from each stats command you do to keep the values. Try something like this:

<Basic_Search>
 | eventstats dc(dest_port) as dcDestPort by src_ip
 | stats max(dcDestPort) as destPorts count by src_ip
 | iplocation src_ip
 | sort limit=5 -count
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...