Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Using where in search
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
balcv
Contributor
09-12-2019
06:57 PM
I have the following search
index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" )
| chart count by src_location,action
This results in a nice stacked column chart showing actions (allowed & blocked) per src_location.
What I need to do is only show those src_locations where the total count (allowed + blocked) is greater than a specific value (eg totalCount >= 500).
I have tried using separate stats count by [field] as [name] statements then using eval to add them together but I can't get the results I'm wanting which is the stacked column graph by src_location showing allowed & blocked.
Any suggestions greatly appreciated.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-12-2019
08:18 PM
@balcv ,
Try
index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" )
| chart count by src_location,action
| addtotals row=true fieldname=totalCount | where totalCount >= 500|fields - totalCount
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
09-12-2019
08:18 PM
@balcv ,
Try
index="pan" (dest_ip="192.168.*" AND NOT src_ip="192.168.*" AND NOT src_location="AU" AND NOT src_location="*-*" )
| chart count by src_location,action
| addtotals row=true fieldname=totalCount | where totalCount >= 500|fields - totalCount
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
balcv
Contributor
09-12-2019
08:32 PM
Awesome. Thanks for that @renjith.nair
Get Updates on the Splunk Community!
See Splunk Platform & Observability Innovations at Cisco Live EMEA
Hi Splunkers,
Learn about what’s next for Splunk Platform at Cisco Live EMEA.
Data silos are a big challenge ...
The OpenTelemetry Certified Associate (OTCA) Exam
What’s this OTCA exam?
The Linux Foundation offers the OpenTelemetry Certified Associate (OTCA) credential to ...
From Manual to Agentic: Level Up Your SOC at Cisco Live
Welcome to the Era of the Agentic SOC
Are you tired of being a manual alert responder? The security ...
