Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

search query - categorizing results based on a field

milanpatel7
New Member
‎10-29-2020 11:06 PM


Hi, bit new to splunk, looking for suggestions on one of my search queries:

Here's some sample events that I receive

{
"inbound.network.service": "192.168.1.7, 50990",
"inbound.bytes.count": 10000,
"connection.created" : 1603614820
}

{
"inbound.network.service": "192.168.1.20, 50700",
"inbound.bytes.count": 40000,
"connection.created" : 1603555900
}

{
"inbound.network.service": "192.168.1.7, 50990",
"inbound.bytes.count": 10200,
"connection.created" : 1603614820
}

{
"inbound.network.service": "192.168.1.20, 50700",
"inbound.bytes.count": 43000,
"connection.created" : 1603555900
}

{
"inbound.network.service": "192.168.1.7, 50990",
"inbound.bytes.count": 500,
"connection.created" : 1603679500
}

Details about individual fields:
- the "inbound.network.service" field has the endpoint for each connection in my server
- "inbound.bytes.count" will have the cummulative inbound bytes count for a particular inbound connection. This count gets resetted once the connection gets reset.
- "connection.created" has the timestamp when the connection got created. The timestamp value remains the same as long as the connection is valid. It gets resetted to a new timestamp once the connection is re-established. The "inbound.bytes.count" also gets re-initialized when that happens.

Here's my existing search query to list bytes received for a particular inbound network & service:

index=inettraffic source="my-server" inbound.network.service="192.168.1.7, 50990"
| reverse
| delta connection.created as connection_reset
| delta inbound.bytes.count as bytes_diff
| eval bytes_received = case(connection_reset == 0, bytes_diff, connection_reset > 0, 'inbound.bytes.count', true(), 0)
| table _time, inbound.network.service, connection.created, connection_reset, inbound.bytes.count, bytes_diff, bytes_received


Questions:
(1) Is there a better how this can be done ?
(2) I am looking to get a similar tabular listing of bytes received over _time for all inbound network & services that I have in my events so far. How do I do this ? With delta, it ends up taking a difference of the previous event which may not be for the same inbound.network.service.

Appreciate all your help here, thanks.

Labels (1)
Labels
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...