Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data Model Query

sumitkathpal
Explorer
‎08-11-2016 04:38 AM

Dear Experts,

Kindly help to modify Query on Data Model, I have built the query.

| tstats summariesonly dc(All_Traffic.src) as src_count from datamodel=Network_Traffic where * by All_Traffic.dest | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort -src_count

Above Query display the Dest IP and Count (Dest IP which matches with Network Traffic and CSV , Result will be displayed) , Also in my Ip.Csv there is field Ip , So i rename to All_Traffic.dest to match the value . Till now everything is fine , Now i am looking for result : Src IP , Dest IP and Count .

Note: I am only comparing Dest IP with CSV no other field.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

reed_kelly
Contributor
‎08-12-2016 06:44 AM

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count

View solution in original post

Reply
Solved! Jump to solution
Solution

reed_kelly
Contributor
‎08-12-2016 06:44 AM

It should be simple:

| tstats summariesonly=t count from datamodel=Network_Traffic where * by All_Traffic.dest All_Traffic.src | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort - count
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎08-11-2016 12:52 PM

What is your new query and what error are you having now?

0 Karma
Reply
Solved! Jump to solution

sumitkathpal
Explorer
‎08-12-2016 02:03 AM

Thanks, I am not getting the errors , above query give the information about incoming ip address hitting on firewall matches with lookup file. I am getting the out Src IP (Matched IP from Lookup) and Count. Now i want to see Src IP , Count and Dest Ip .

Above Query will give provide below output.
Src IP Src_Count
10.10.10.10 5
But i need output:

Src IP Dest Ip Src_Count
10.10.10.10 x.x.x.x 2

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...