Trying to add additional info fields into top outp...

oleg106 · ‎04-23-2013

Hi,

I have a simple alert that runs nightly, it is something like:

index=bluecoat cs_categories="*Forbidden*" | top limit=20 client_ip

Basically shows a report of top 20 clients that access forbidden sites calc/grouped by IP, the format is

client_ip count percentage

I am simply looking to add more fields into this output without changing how it is calculated

Want to say something like

index=bluecoat cs_categories="*Forbidden*" | top limit=20 client_ip | table client_ip user dest count percentage

Can't get it to work. If I add the additional fields after user top limit=20 client_ip, I lose the client_ip grouping and it breaks everything out based on the additional fields. Just looking to add a few info fields into the results and keep the query the same. Thanks

Ayn · ‎04-23-2013

The top command only returns those fields - once it's done there are no other fields present. Besides, if you're picking 20 client IP's, wouldn't there be different values for user and dest for each of them?

If you want unique values for user and dest, maybe using a subsearch would do what you want?

index=bluecoat cs_categories="*Forbidden*" [search index=bluecoat cs_categories="*Forbidden*" | top 20 client_ip | fields client_ip] | top user,dest by client_ip

Trying to add additional info fields into top output

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation