Splunk Search
Highlighted

table for two dimentional distribution

Communicator

Hello,

I am trying to create a bubble chart (this is not very much documented, hopefully this example will help) for a 2D distribution.

I have a set of data (IP addresses) and I would like to count the amount of "pairs" for a given time (ie. the IP addresses talking to each other). My search correctly extracts src and dst (the pair of IP addresses) and I want to build a matrix:

src1 dst1 nr1
src2 dst1 nr2
src3 dst1 nr3
src2 dst1 nr4
src2 dst2 nr5
...

I know that my search should end up with ... | table src, dst, nr-something, I just do not know how to extract nr-something.

Thanks!

Tags (2)
0 Karma
Highlighted

Re: table for two dimentional distribution

Contributor

... | stats count by scr,dst

View solution in original post

0 Karma
Highlighted

Re: table for two dimentional distribution

Communicator

Exactly what I was looking for - thanks. I have a hard time understanding the philosophy of the search syntax (but I will get over that one day :))

0 Karma
Highlighted

Re: table for two dimentional distribution

Path Finder

What are you really asking for?

1) How to count the source/destination pairs
OR
2) How to extract nr-something?

Please provide us with some sample data.

0 Karma
Highlighted

Re: table for two dimentional distribution

Path Finder

If you just want to count the source / destination pairs without putting the count sums into various buckets, go with imrago's answer.

If you need to group the source / destination pairs by a 1 hour timeslot - you might want to try:

... | eval SrcDestPair = src + " " + dest | timechart span=1h count by SrcDestPair
Highlighted

Re: table for two dimentional distribution

Communicator

Thank you. I cannot put two "best answers" but I upvoted yours 🙂

0 Karma
Highlighted

Re: table for two dimentional distribution

Communicator

It was the first one (how to count). Both answers are exactly what I was looking for but I should have not used the word "extract" in my last sentence (and replace it by "count").

0 Karma