Splunk Search

table for two dimentional distribution

wsw70
Communicator

Hello,

I am trying to create a bubble chart (this is not very much documented, hopefully this example will help) for a 2D distribution.

I have a set of data (IP addresses) and I would like to count the amount of "pairs" for a given time (ie. the IP addresses talking to each other). My search correctly extracts src and dst (the pair of IP addresses) and I want to build a matrix:

src1 dst1 nr1
src2 dst1 nr2
src3 dst1 nr3
src2 dst1 nr4
src2 dst2 nr5
...

I know that my search should end up with ... | table src, dst, nr-something, I just do not know how to extract nr-something.

Thanks!

Tags (2)
0 Karma
1 Solution

imrago
Contributor

... | stats count by scr,dst

View solution in original post

0 Karma

wsw70
Communicator

It was the first one (how to count). Both answers are exactly what I was looking for but I should have not used the word "extract" in my last sentence (and replace it by "count").

0 Karma

RubenOlsen
Path Finder

If you just want to count the source / destination pairs without putting the count sums into various buckets, go with imrago's answer.

If you need to group the source / destination pairs by a 1 hour timeslot - you might want to try:

... | eval SrcDestPair = src + " " + dest | timechart span=1h count by SrcDestPair

wsw70
Communicator

Thank you. I cannot put two "best answers" but I upvoted yours 🙂

0 Karma

RubenOlsen
Path Finder

What are you really asking for?

1) How to count the source/destination pairs
OR
2) How to extract nr-something?

Please provide us with some sample data.

0 Karma

imrago
Contributor

... | stats count by scr,dst

0 Karma

wsw70
Communicator

Exactly what I was looking for - thanks. I have a hard time understanding the philosophy of the search syntax (but I will get over that one day :))

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...