×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
niuk
Engager
Member since: ‎09-29-2020
‎10-08-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎09-29-2020
Activity Feed
View All

Re: Show only fields values found in subsearch

by in Splunk Search
‎10-08-2020 12:48 PM
‎10-08-2020 12:48 PM
Appreciate looking at it , I run subsearch with '| format' and got below (...cut output)   ( ( src_ip="10.1.136.6" ) OR ( src_ip="10.1.2.4" ) OR .....cut output )   Does the format of subsearch looks good ? Dont know how to pipe that subsearch other than inserting IN after main search... ... View more

Show only fields values found in subsearch

by in Splunk Search
‎10-08-2020 08:46 AM
‎10-08-2020 08:46 AM
I have search like below to show me 'src_ip' and 'count' every last 10 min index="pan" sourcetype="pan:threat" earliest=-10m action=allowed NOT [| inputlookup Exclusions | fields src_ip] | stats count by src_ip| where count > 10 | sort - count 1.1.1.1 10 2.2.2.2 12 and second search to show only src_ip in last 24h (to eliminate src_ip repeated in any of 10 min periods for last 24h) index="pan" sourcetype="pan:threat" earliest =-24h action=allowed NOT [| inputlookup Exclusions ] | bin _time span=10m | stats count by _time src_ip | where count > 10 | stats count by src_ip | where count = 1 | fields - count but combined search to show my only src_ip with count where src_ip is present in subsearch is not working correctly .. because src_ip values are not unique in subsequent 10 min interval index="pan" sourcetype="pan:threat" earliest=-10m action=allowed NOT [| inputlookup Exclusions | fields src_ip] | stats count by src_ip| where count > 10 | sort - count IN [index="pan" sourcetype="pan:threat" earliest =-24h action=allowed NOT [| inputlookup Exclusions ] | bin _time span=10m | stats count by _time src_ip | where count > 10 | stats count by src_ip | where count = 1 | fields - count]       ... View more
Labels

Count field value occurences

by in Splunk Search
‎10-08-2020 07:47 AM
‎10-08-2020 07:47 AM
I have search result like below with repeating values in 'src _ip' field and looking to count occurrences of field values  10.1.8.5          3 10.3.20.63     1 ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-08-2020 07:40 PM
Karma given to
View All