Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Understanding command in search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
davidsplunk100
New Member
01-11-2018
12:26 AM
Hello everyone,
I need help understanding the search command.
I tried to read documents and still did not understand.
I would be happy to receive an explanation and not a link to study commands.
The commands is:
- sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
-sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Actio
Thank you!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-11-2018
12:40 AM
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid
BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.
| - output of before | acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined - this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values
rename action as Action - it will rename action field as Action
I hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jshekell
Explorer
03-13-2019
07:12 AM
I'm trying to do a similar search as above but I never can reach the blocked or potentially blocked data?
index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially_blocked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-11-2018
12:40 AM
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid
BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.
| - output of before | acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined - this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values
rename action as Action - it will rename action field as Action
I hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
janadevops
Explorer
01-11-2018
06:29 AM
Perfect... Really Good.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
