Developing for Splunk Platform

How do I group the count of src_ip by month?

bayman
Path Finder

How do I group the count of src_ip by month?

This is what I have and shows the count of src_ip

index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")  src_ip="*" dest_port="*" dest_ip="*" | fields src_ip | where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip
0 Karma
1 Solution

cmerriman
Super Champion
index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")  src_ip="*" dest_port="*" dest_ip="*" | fields src_ip date_month| where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip date_month

will that work?

View solution in original post

0 Karma

ddrillic
Ultra Champion

Maybe something in the spirit of | timechart span=30d count by src_ip...

0 Karma

cmerriman
Super Champion
index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")  src_ip="*" dest_port="*" dest_ip="*" | fields src_ip date_month| where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip date_month

will that work?

0 Karma

bayman
Path Finder

Close, this shows the month for each src_ip

Was hoping it'll show something like
January
192.168.1.5 - 1233
192.168.1.10 - 824

February
192.168.1.12 - 300
192.168.1.25 - 24

0 Karma

cmerriman
Super Champion
 index="cisco_asa" (sourcetype="cisco:asa" OR sourcetype="cisco:pix" OR sourcetype="cisco:fwsm")  src_ip="*" dest_port="*" dest_ip="*" | fields src_ip date_month| where cidrmatch("192.168.1.0/24",src_ip) | stats count by src_ip date_month|eval srcCount=src_ip+" - "+count|stats values(srcCount) as srcCount by date_month

what about adding this eval and stats to the end?

0 Karma

bayman
Path Finder

Works, thanks!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...