Splunk Search

sort ip's within stats values function

Path Finder

I am trying to figure out a way to sort the source ip's that are in my stats values results. Just adding a simple sort on that field on the end does nothing. What im working with is listed below. Basically this just lists out what destination ip's are talking with what source ip's on specific ports. Any help would be greatly appreciated.

... | stats values(src_ip) by dest_port, protocol, dest_ip | sort +dest_port, dest_ip

Tags (1)

Motivator

Hello! How do you know that it is not working? By default your data are sorting in incresing order. Means from the smallest value to the heighest. By doing |sort +dest_port does not change any thing to the results. Test this and let me know how does it works ..............|sort -dest_ip

0 Karma

Path Finder

so looking at the values(src_ip) field the ip's are not in order. it looks like its not reading them as ip's. the order its showing is like:

10.123.1.2
10.4.5.6
10.66.6.7
etc...

the other fields are sorted correctly just not this one field

0 Karma

Motivator

it is really surprising! Looking your dest_ip, here is the order you should have.

10.4.5.6
10.66.6.7
10.123.1.2
Please Try this and let me know!

   ..... |stats values(src_ip) by dest_port, protocol, dest_ip |eval desip=tostring(ip,"hex")| sort +dest_port, destip
0 Karma

Path Finder

its not the dest_ip its the values(src_ip) that is not sorting. the dest_ip is sorting correctly. The values(src_ip) can be 1 or many results and this is where they are not sorting if it has more then 1 IP.

0 Karma

Motivator

Please let me know. Where did you sort values(src_ip) ? Here you go:

 ..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, srcip

hope this may help!

0 Karma

Path Finder

I tried that already it does not work. here are all the combos that i have tried to sort the values(sr_ip) field....

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, srcip

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip, ip(srcip)

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +dest_port, destip | sort +ip(srcip)

..... |stats values(src_ip) as srcip by dest_port, protocol, dest_ip | sort +ip(srcip) | sort +dest_port, destip

According to the docs for the values() function "The order of the values is lexicographical.” so if there is anyway to change that order to make it see them as IP

0 Karma

Motivator

That is true. The order of the values is lexicographical when using the values function. In fact your results are sorting, but not as you want. To sole the problem, instead of use the values function, i will advise you to use the list function as follows:

 ..... |sort (src_ip)|stats list(src_ip) as sr_cip by dest_port, protocol, dest_ip | sort +dest_port, dest_ip

I think it will be ok now!

0 Karma