Splunk Search

create search input as a part of a result

Morrel
New Member

Hallo.

can anyone please help me.
i want search sourcetype for this IP
10.2.123.123 OR 22.222.222.22 OR 33.333.333.33 | stats count by sourcetype
the result will be join result as a 3 IP above.

i want the result like this
10.2.123.123 | 22.222.222.22| 33.333.333.33
SourctypeA   | SourcetypeA    | SourcetyeA
SourcetypeB|  SourcetypeB   | SourcetypeB
SourcetypeC| SourcetypeC   | SourcetypeC

Labels (4)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

If I understand correctly, you want to see _for each IP_ in events from which sourcetypes it can be found, right?

Well, there is a caveat - after your search, when you get to the "pipe" character and splunk receives the found events and passes them to another step of your process it only gets the results. It doesn't retain any knowledge of how you were searching them and what you were looking for. It only knows what you found.

So - firstly, you want to pass to the next step not only the number of occurences "by sourcetype" but also a list of IP and the number per IP. So assuming you're looking in the IP field, you need something like this:

IP in ("1.2.3.4","5.6.7.8","9.10.11.12") | stats count by IP sourcetype

If you want to count occurences of those IPs anywhere in the event... well, that's different and a bit more difficult. We'll not dig into that now.

Anyway, after this stats command above you'll get a neat stats table with three columns - IP, sourcetype and count.

Now, it's a bit unclear of what you want as your result in terms of formatting but it seems that something like

| xyseries sourcetype IP count

Should produce your desired tabular output

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@Morrel 

I hope the events has IP field. Can you please try this?

YOUR_SEARCH | stats values(sourcetype) as sourcetype  by IP | transpose header_field=IP

 

KV 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...