Splunk Search

stats,streamstats command question

nnonm111
Path Finder

I'm going to check the permission and rejection of the scan attack per hour.
At this point, what I wrote...
Which is appropriate, Vlaues or the list?
Also, which one is suitable, stats or stream stats?


index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1d
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , values(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count


Labels (1)
Tags (2)
0 Karma
1 Solution

venkatasri
SplunkTrust
SplunkTrust
index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count

I have updated SPL, list() is an aggregation function it doesn't care of duplicates and by is clause for grouping.

 

View solution in original post

0 Karma

venkatasri
SplunkTrust
SplunkTrust

@nnonm111  stats should work for your case changed span to 1h. 

index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , values(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count

0 Karma

venkatasri
SplunkTrust
SplunkTrust

instead of values(count) in second stats try sum(count)

0 Karma

nnonm111
Path Finder

thankyou 

I understand the difference between value and list is deduplication, which value will be removed?
Also, if you do list(app) and by app, the values are different.
What's the reason?

0 Karma

venkatasri
SplunkTrust
SplunkTrust
index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count

I have updated SPL, list() is an aggregation function it doesn't care of duplicates and by is clause for grouping.

 

0 Karma

nnonm111
Path Finder

index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count  by _time,src_ip,app
| table _time, src_ip ,app, dest_ip , count



index="firewall" (action="allow" OR action="deny" ) AND ( attack="*scan")
| bin _time span=1h
| stats count by _time,src_ip,dest_ip,app
| stats values(dest_ip) AS dest_ip , sum(count) AS count values(app) AS app by _time,src_ip
| table _time, src_ip ,app, dest_ip , count


What's the difference if the app changes?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...