Splunk Search

Understanding command in search

davidsplunk100
New Member

Hello everyone,
I need help understanding the search command.
I tried to read documents and still did not understand.
I would be happy to receive an explanation and not a link to study commands.
The commands is:

  • sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"

-sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Actio

Thank you!

Tags (1)
0 Karma
1 Solution

mayurr98
Super Champion

hey @davidsplunk100

1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid

BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.

| - output of before | acts as a input to after pipe i.e. your stats command

stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.

2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action

sourcetype=access_combined - this will retrive events from access_combined

stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values

rename action as Action - it will rename action field as Action

I hope this helps!

View solution in original post

0 Karma

jshekell
Explorer

I'm trying to do a similar search as above but I never can reach the blocked or potentially blocked data?

index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially_blocked

0 Karma

mayurr98
Super Champion

hey @davidsplunk100

1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid

BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.

| - output of before | acts as a input to after pipe i.e. your stats command

stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.

2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action

sourcetype=access_combined - this will retrive events from access_combined

stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values

rename action as Action - it will rename action field as Action

I hope this helps!

0 Karma

janadevops
Explorer

Perfect... Really Good.

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...