Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Understanding command in search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidsplunk100
New Member
01-11-2018
12:26 AM
Hello everyone,
I need help understanding the search command.
I tried to read documents and still did not understand.
I would be happy to receive an explanation and not a link to study commands.
The commands is:
- sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
-sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Actio
Thank you!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-11-2018
12:40 AM
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid
BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.
| - output of before | acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined - this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values
rename action as Action - it will rename action field as Action
I hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jshekell
Explorer
03-13-2019
07:12 AM
I'm trying to do a similar search as above but I never can reach the blocked or potentially blocked data?
index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially_blocked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-11-2018
12:40 AM
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid
BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.
| - output of before | acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined - this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values
rename action as Action - it will rename action field as Action
I hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
janadevops
Explorer
01-11-2018
06:29 AM
Perfect... Really Good.
Get Updates on the Splunk Community!
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
