Solved: Re: Count matching values on seperated fields

Aufex · ‎07-31-2017

Hi there,
i try to buildup a firewall report:

"sourcetype="firewall" action=blocked | table host src dest src_port dest_port"

this gives me endless rows, and many of them are dublicated.
i try to delete all the dublicates and count them so that i have something like

that would give a nice overview.

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

View solution in original post

knielsen · ‎08-01-2017

The simplest solution is to do a count by the fields you are interested in. It might still be very cluttered I guess, I assume SRC_PORT will vary a lot?

sourcetype="firewall" action=blocked | stats count by host src dest src_port dest_port

Aufex · ‎08-01-2017

thank you. yes ports change a lot. i think its much smarter to display the zones 🙂

woodcock · ‎08-01-2017

Don't forget to click Accept to close the question.

Count matching values on seperated fields

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?