- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- inputcsv join results to a search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
I know I must be close but missing something with this.
I have a CSV containing Group_Name which are VPN groups. I want to take that list of about 185 groups and use them to search our Cisco ASA for which groups are being used over a time period.
I have a form that does this one by one with the search to grab all the groups as:
|inputcsv ASA_VPN_Groups.csv | fields Group_Name
and the search to count the number of times accessed over the period as:
index=index01 VPN_Group=$Group_Name$ |timechart count(_raw) as num |stats sum(num)
Now I want to put them together into a table that will show me each group and how many times it has been used over the time period
Any suggestions will be very much appreciated.
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LIke this:
index=index01 [|inputcsv ASA_VPN_Groups.csv | rename Group_Name AS VPN_Group | fields VPN_Group] | timechart count(_raw) AS num BY VPN_Group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LIke this:
index=index01 [|inputcsv ASA_VPN_Groups.csv | rename Group_Name AS VPN_Group | fields VPN_Group] | timechart count(_raw) AS num BY VPN_Group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmm, that just gives me the total number of times the VPN has been accessed (I assume by all groups).
Maybe I wasn't clear, I would like a table with groups and times accessed e.g.:
Group 1 --- 210
Group 2 --- 51
Group 3 --- 0
Group 4 --- 75
etc.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, original answer re-edited.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK! Now I am getting some groups to show as columns in a table with daily counts however, after 5 groups it is lumping the rest into "Other".
Also is there a way to not show daily but just the cumulative number of all days AND put the groups down the vertical as Rows?
See my ASCII "art" above 😉
Thanks so much!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=index01 [|inputcsv ASA_VPN_Groups.csv | rename Group_Name AS VPN_Group | fields VPN_Group] | stats count(_raw) AS num BY VPN_Group
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You got it!
Thanks so much!!!!
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
