- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Sub Search to Get all Apps and then provide a ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sub Search to Get all Apps and then provide a table with each app showing the fields specified
index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0| stats count by src_ip,src_location,dst_ip, dst_port |lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1| lookup dnslookup clientip AS dst_ip outputnew clienthost as destinationhost
Below is what I tried to do to do a subsearch, which should first search for all apps with bytes sent or received more than 0. After that, it's suppose to show each app along with the fields specified in a table.
index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this and let us know what issue you faced with this
index=pan_logs sourcetype=pan_traffic [search index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app | fields app] | stats count by src_ip, src_location, dst_ip, dst_port | lookup dnslookup clientip AS src_ip outputnew clienthost as clienthost1 | lookup dnslookup clientip AS dst_ip outputnew clienthost AS destinationhost
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I get the following fields:
app count percent
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What fields and count your get after executing this?
index=pan_logs sourcetype=pan_traffic bytes_sent>0 bytes_received>0 | top limit=500 app
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That didn't work. It came back saying there were no results for this event, which isn't true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The top command add some extra fields like count and percent, which may not be available in your logs and it (should be) returns 0 records. After top command add "| fields app".
.conf24 | Day 0
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
