Knowledge Management

Data Model Query

sumitkathpal
Explorer

Dear Experts,

Kindly help to modify Query on Data Model, I have built the query.

| tstats summariesonly dc(All_Traffic.src) as src_count from datamodel=Network_Traffic where * by All_Traffic.dest | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort -src_count

Above Query display the Dest IP and Count (Dest IP which matches with Network Traffic and CSV , Result will be displayed) , Also in my Ip.Csv there is field Ip , So i rename to All_Traffic.dest to match the value . Till now everything is fine , Now i am looking for result : Src IP , Dest IP and Count .

Note: I am only comparing Dest IP with CSV no other field.

Tags (1)
1 Solution

reed_kelly
Contributor

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count

View solution in original post

reed_kelly
Contributor

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count

View solution in original post

jkat54
SplunkTrust
SplunkTrust

What is your new query and what error are you having now?

0 Karma

sumitkathpal
Explorer

Thanks, I am not getting the errors , above query give the information about incoming ip address hitting on firewall matches with lookup file. I am getting the out Src IP (Matched IP from Lookup) and Count. Now i want to see Src IP , Count and Dest Ip .

Above Query will give provide below output.
Src IP Src_Count
10.10.10.10 5
But i need output:

Src IP Dest Ip Src_Count
10.10.10.10 x.x.x.x 2

0 Karma