Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

stats,streamstats command question

nnonm111
Path Finder
‎08-25-2021 05:59 PM

I'm going to check the permission and rejection of the scan attack per hour.
At this point, what I wrote...
Which is appropriate, Vlaues or the list?
Also, which one is suitable, stats or stream stats?


index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1d
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , values(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count


Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎08-25-2021 07:03 PM 
index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count

I have updated SPL, list() is an aggregation function it doesn't care of duplicates and by is clause for grouping.

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎08-25-2021 06:39 PM

@nnonm111  stats should work for your case changed span to 1h. 

index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , values(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎08-25-2021 06:42 PM

instead of values(count) in second stats try sum(count)

0 Karma
Reply
Solved! Jump to solution

nnonm111
Path Finder
‎08-25-2021 06:57 PM

thankyou 

I understand the difference between value and list is deduplication, which value will be removed?
Also, if you do list(app) and by app, the values are different.
What's the reason?

0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎08-25-2021 07:03 PM 
index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count

I have updated SPL, list() is an aggregation function it doesn't care of duplicates and by is clause for grouping.

 

0 Karma
Reply
Solved! Jump to solution

nnonm111
Path Finder
‎08-25-2021 07:15 PM

index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count  by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count



index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count values(app) AS app by _time,src_ip
| table _time, src_ip ,app, dest_ip , count


What's the difference if the app changes?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...