Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Dev
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- How do I group the count of src_ip by month?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bayman
Path Finder
07-21-2017
10:21 AM
How do I group the count of src_ip by month?
This is what I have and shows the count of src_ip
index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm") src_ip="*" dest_port="*" dest_ip="*" | fields src_ip | where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
07-21-2017
10:25 AM
index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm") src_ip="*" dest_port="*" dest_ip="*" | fields src_ip date_month| where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip date_month
will that work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ddrillic
Ultra Champion
07-21-2017
11:26 AM
Maybe something in the spirit of | timechart span=30d count by src_ip...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
07-21-2017
10:25 AM
index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm") src_ip="*" dest_port="*" dest_ip="*" | fields src_ip date_month| where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip date_month
will that work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bayman
Path Finder
07-21-2017
10:30 AM
Close, this shows the month for each src_ip
Was hoping it'll show something like
January
192.168.1.5 - 1233
192.168.1.10 - 824
February
192.168.1.12 - 300
192.168.1.25 - 24
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cmerriman
Super Champion
07-21-2017
11:06 AM
index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm") src_ip="*" dest_port="*" dest_ip="*" | fields src_ip date_month| where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip date_month|eval srcCount=src_ip+" - "+count|stats values(srcCount) as srcCount by date_month
what about adding this eval and stats to the end?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bayman
Path Finder
07-21-2017
11:27 AM
Works, thanks!
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
