Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Sub Search to Get all Apps and then provide a table with each app showing the fields specified

jaywilwk
Engager
‎02-10-2014 12:59 PM

index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0| stats count by src_ip,src_location,dst_ip, dst_port |lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1| lookup dnslookup clientip AS dst_ip outputnew clienthost as destinationhost

Below is what I tried to do to do a subsearch, which should first search for all apps with bytes sent or received more than 0. After that, it's suppose to show each app along with the fields specified in a table.

index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost

0 Karma
Reply

somesoni2
Revered Legend
‎02-11-2014 11:40 AM

Try this and let us know what issue you faced with this

index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app | fields app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost
0 Karma
Reply

jaywilwk
Engager
‎02-11-2014 11:22 AM

I get the following fields:
app count percent

0 Karma
Reply

somesoni2
Revered Legend
‎02-10-2014 01:31 PM

What fields and count your get after executing this?

index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app

0 Karma
Reply

jaywilwk
Engager
‎02-10-2014 01:21 PM

That didn't work. It came back saying there were no results for this event, which isn't true.

0 Karma
Reply

somesoni2
Revered Legend
‎02-10-2014 01:16 PM

The top command add some extra fields like count and percent, which may not be available in your logs and it (should be) returns 0 records. After top command add "| fields app".

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...