Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About goringop
goringop
Explorer
Member since:
08-05-2020
10-15-2020
Community Statistics
| Posts | 8 |
| Solutions | 0 |
| Karma Given | 3 |
| Karma Received | 0 |
| Member Since | 08-05-2020 |
Activity Feed
- Posted Re: Sum of Total count in another column on Splunk Enterprise. 08-25-2020 04:51 AM
- Karma Re: Sum of Total count in another column for richgalloway. 08-25-2020 04:51 AM
- Karma Re: Sum of Total count in another column for richgalloway. 08-25-2020 04:51 AM
- Posted lookup the fields in a different index on Splunk Search. 08-25-2020 04:39 AM
- Posted Re: Sum of Total count in another column on Splunk Enterprise. 08-05-2020 07:44 AM
- Posted Re: Sum of Total count in another column on Splunk Enterprise. 08-05-2020 07:41 AM
- Posted Re: Sum of Total count in another column on Splunk Enterprise. 08-05-2020 07:23 AM
- Posted Re: Sum of Total count in another column on Splunk Enterprise. 08-05-2020 07:10 AM
- Karma Re: Sum of Total count in another column for richgalloway. 08-05-2020 07:10 AM
- Posted Sum of Total count in another column on Splunk Enterprise. 08-05-2020 06:52 AM
- Posted Re: src_ip, with all dest_ips and dest_ports on Splunk Search. 08-05-2020 06:34 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
08-25-2020
04:51 AM
@richgalloway thank you for this, I will install the app and get back to you
... View more
08-25-2020
04:39 AM
I have a splunk query in paloalto data (index=idx_paloalto) something like this: index=idx_paloalto sourcetype=pan:traffic app:subcategory=encrypted-tunnel OR app:subcategory=gaming OR app:subcategory=proxy OR app:subcategory=remote-access NOT(application=ssl OR app:subcategory=storage-backup OR app:subcategory=email) | search action=allowed bytes>=10000000 | eval user=mvindex(split(user,"\\"),-1) | table app:subcategory generated_time user src_ip application src_zone dest_zone action bytes_in bytes_out bytes | sort 0 -bytes result: app:subcategory generated_time username src_ip application src_zone dest_zone action bytes_in bytes_out bytes encrypted-tunnel 8/25/2020 11:19 user123 10.24.144.81 ssh GDC-ENET ENET allowed 3649914812 167157295 3817072107 encrypted-tunnel 8/25/2020 6:16 user546 10.21.132.48 ssh SVS-In SVS-In allowed 259262655 871766 260134421 Then another query in Active Directory data (index=idx_ms_ad) something like this: index=idx_msad sourcetype=ActiveDirectory | eval username = sAMAccountName | dedup username | table username displayName mail | sort -username result: username displayName mail user123 Tommy Lee tommy.lee@domain.com user546 Richard White richard.white@domain.com What I need is to lookup the username from index ms_ad and get additional details like the displayname and mail to my paloalto query getting a result something like this: app:subcategory generated_time username displayName mail src_ip application src_zone dest_zone action bytes_in bytes_out bytes encrypted-tunnel 8/25/2020 11:19 user123 Tommy Lee tommy.lee@domain.com 10.24.144.81 ssh GDC-ENET ENET allowed 3649914812 167157295 3817072107 encrypted-tunnel 8/25/2020 6:16 user546 Richard White richard.white@domain.com 10.21.132.48 ssh SVS-In SVS-In allowed 259262655 871766 260134421
... View more
08-05-2020
07:44 AM
@richgalloway a table something like this: app dest_port count total_count ssl 10001 10020 13000 13006 22790 26107 443 44345 4 21 2 3 2 8 19 22 55 323 455 web-browsing 1000 21 443 5000 7788 80 8003 8080 2 3 4 7 1000 200 12 21 1249
... View more
08-05-2020
07:41 AM
@richgalloway thanks for the reply but still not getting the correct value. please see below screenshot. Under the count column, I want to see all the value for each port then Under the total_count column I want to see the sum of counts for that specific app
... View more
08-05-2020
07:23 AM
@richgalloway it seems that the count for each dest_port where gone, then Im getting the total_count with a value of 1
... View more
08-05-2020
06:52 AM
Hi Need help on my query, I want to achieve this kind of table shown below What I want is to get the total_count value for each app by adding the values under count and get sum of it under total_count app dest_port count total_count ssl 10001 10020 13000 13006 22790 26107 443 44345 4 21 2 3 2 8 19 22 55 323 ? web-browsing 1000 21 443 5000 7788 80 8003 8080 2 3 4 7 1000 200 12 21 ?
... View more
08-05-2020
06:34 AM
@gkanapathy I know the thread is very old but what if I want to add another Column with total counts of events for each src_ip
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
10-15-2020
01:47 AM
|
