Splunk Search

Understanding command in search

davidsplunk100
New Member

Hello everyone,
I need help understanding the search command.
I tried to read documents and still did not understand.
I would be happy to receive an explanation and not a link to study commands.
The commands is:

  • sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"

-sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Actio

Thank you!

Tags (1)
0 Karma
1 Solution

mayurr98
Super Champion

hey @davidsplunk100

1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid

BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.

| - output of before | acts as a input to after pipe i.e. your stats command

stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.

2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action

sourcetype=access_combined - this will retrive events from access_combined

stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values

rename action as Action - it will rename action field as Action

I hope this helps!

View solution in original post

0 Karma

jshekell
Explorer

I'm trying to do a similar search as above but I never can reach the blocked or potentially blocked data?

index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially_blocked

0 Karma

mayurr98
Super Champion

hey @davidsplunk100

1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid

BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.

| - output of before | acts as a input to after pipe i.e. your stats command

stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.

2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action

sourcetype=access_combined - this will retrive events from access_combined

stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values

rename action as Action - it will rename action field as Action

I hope this helps!

0 Karma

janadevops
Explorer

Perfect... Really Good.

Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...