Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About raykongstar
raykongstar
Explorer
Member since:
10-19-2018
06-05-2020
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 10-19-2018 |
Activity Feed
- Karma Re: How do I count each value of a multi-value field and show the top 30 with percentage? for renjith_nair. 06-05-2020 12:50 AM
- Karma Re: How do I count each value of a multi-value field and show the top 30 with percentage? for renjith_nair. 06-05-2020 12:50 AM
- Posted Re: How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-21-2018 09:37 AM
- Posted Re: How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 10:24 PM
- Posted Re: How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 09:08 AM
- Posted Re: How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 07:55 AM
- Posted Re: How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 07:53 AM
- Posted How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 05:40 AM
- Tagged How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 05:40 AM
- Tagged How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 05:40 AM
- Tagged How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 05:40 AM
- Tagged How do I count each value of a multi-value field and show the top 30 with percentage? on Splunk Search. 10-20-2018 05:40 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
10-21-2018
09:37 AM
Thanks this worked perfectly. I'll play around with the Top/head command ad it's still not giving me the top results I need.. Thanks Again, This is usable for me.
... View more
10-20-2018
10:24 PM
Thanks Renjith,
Unfortunately that didn't solve the issue(s).
Percentage = (count/Summation of total counts PER dest_ip)*100,2) . It can be confusing, see my suggestion below about buttercupgames data.
I still didn't get top 30 and the results weren't sorted.
I had an idea, why dont we all try this in the context of BUTTERGAMES data so that we be on the same page on the output;
For instance I tried below on buttercupgames but still didn't give expected results;
Fields for buttercupgames:
dest_port = clientip
dest_ip= productId
Let's use just these two fields above, forget protocol & port.
Buttercupgames | stats count by productId,clientip |eventstats sum(count) as total by productId
|eval percentage=round((count/total)*100,2)
|stats list(*) as * by productId|sort -total |head 30|fields - total
I hope you already have buttercupgames data or know how to get it. I'm not allowed to post links yet. It's Splunk's own sample data.
... View more
10-20-2018
09:08 AM
The updated version of your search gave me exactly what I needed except the formula for percentage is still not right.
But. So far so good, I need to use this information to help determine what ports to open on the firewall.
Only the following are missing now;
Percentage not calculated right.
BONUS: Top 30/20/10 values.
... View more
10-20-2018
07:55 AM
I see spaces have been removed.. just imagine there next line after IP address is indented.
... View more
10-20-2018
07:53 AM
@renjith.nair You search was very close but unfortunately had the following issues or maybe I wasn't clear enough.
The percentage is supposed to calculate only for a certain dest_ip, so should total to 100% for each IP address.
The ports belonging to one IP address should be grouped together, not appear as different search results. ie. See below;
10.66.100.1 ..... 6543 ... 345 .... 40%
.... 443 ..... 453 ..... 50%
..... 80 ....... 70 ...... 10%
10.66.100.4 ..... 6543 ... 345 .... 30%
.... 443 ..... 453 ..... 50%
..... 80 ....... 70 ...... 20%
10.66.100.8 ..... 6543 ... 345 .... 20%
.... 443 ..... 453 ..... 20%
..... 80 ....... 70 ...... 10%
.... 443 ..... 453 ..... 30%
..... 80 ....... 70 ...... 20%
Etc etc etc.. I hope that's clearer now.
Thanks in advance.
... View more
10-20-2018
05:40 AM
Dear Community,
So far, I have gone through the posted QnAs, but haven't yet found a way to make it work with my data context and desired output.
I'm analyzing ASA firewall logs. I'm trying to make a search for the top 30 inbound ports for a range of IPs.
FIELDS:
Destination IP = dest_ip
Destination Port = dest_port
Protocol = protocol
The closest I could get was as below;
dest_ip="10.66.100.*" | stats value(dest_port) count by dest_ip
The above gave me a list of IPs and ports but the total count was seemingly for all ports combined.
DESIRED OUTPUT:
IP # List of Ports # Hits count for each port # Protocol # Percentage of total traffic
Search results for ports belonging to the same IP address should be grouped together. So IP address followed but multi-value field of ports with corresponding count, protocol and percentage for each.
We can also try this on the buttercupgames data so that we all get same output format;
Fields for buttercupgames:
dest_port = clientip
dest_ip= productId
Let's use just these two fields above, forget protocol & port.
Buttercupgames | stats count by productId,clientip | eventstats sum(count) as total by productId
| eval percentage=round((count/total)*100,2)
| stats list(*) as * by productId | sort -total | head 30 | fields - total
I hope you already have buttercupgames data or know how to get it. I'm not allowed to post links yet. It's Splunk's own sample data.
Regards!
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
