Hey everyone, I want to create a search that gives me the following information in a structured way: Which type of host sends data to which type of host using which port? In a table it would basically look like this: typeOfSendingHost|typeOfReceivingHost|destPort At the moment I have the following search, which shows me which type of host is listening on which port. The subsearch is used to provide the type of system based on splunkname. Therefore, the field splunkname is created in the main search. (index="_internal" group=tcpin_connections) |rename host AS splunknames |join type=left splunkname [|search index=index2] |stats values(destPort) by type Example Output: type values(destPort) Indexer 9995, 9997 Intermediate Forwarder 9996, 9997   In the _internal index, the sending system is stored in the field "hostname" and the receiving system is stored in "host". The field "destPort" is the port to which data is sent. Information about our systems is stored in index2. An event in index2 has the field "splunkname" and "type". The field "splunkname" in index2 contains the hostname of the system (e.g. fields hostname/host). The field "type" stores the type of the system (Forwarder, Indexer, Search Head...). My question is, how can I make the results look like this? Sending System Type Receiving System Type destPort Intermediate Forwarder Indexer 9997 Thank you so much in advance ... View more

Hello everyone, I have the following field and example value: sourcePort=514.000 I'd like to format these fields in such a way, that only the first digits until the point are kept. Furthermore, this should only apply to a certain group of events (group one).  Basically:  before: sourcePort=514.000 after:    sourcePort=514 What I have until now: search... | eval sourcePort=if(group=one, regex part, sourcePort) The regex to match only the digits is  ^\d{1,5} However, I am unsure how to work with the regex and if it is even possible to achieve my goal using this. Thanks in advance ... View more

Hello everyone, I have a search in the following format: (index="index1" group=a) OR (index="index2" group=a).... Later on in the search I want to rename the field host to splunkname, but only those found in events coming from the second "search". The problem ist that both "searches" return events with a field called host. When I tried this, it didnt work: (index="index1" group=a) OR (index="index2" group=a| rename host AS splunkname) How could I solve this? ... View more

Hi everyone, I'm kinda new to splunk. I have two indizes: Stores events (relevant fields: hostname, destPort)       2. Stores information about infrastructure (relevant fields: host, os) I need to show which Ports are used by which os. From the first index I need to know which host is using which ports. From the second index I want to know which host is using which os. I then want to see, which OS uses which ports. To make it even more difficult, the host is called hostname in index 1 and host in index 2. I basically have to group by hostname and then by OS. How can i achieve this? What concepts can I use? I have two working searches for step 1 and step2, I just dont know how to "join" them together. Any help is greatly appreciated, thanks. ... View more