Solved: group by srcIP and total count dstIP

happy035 · ‎08-21-2013

Hello, I'm trying to compose search, that will show me srcIP, dstIP, count by dstIP like this:

srcIP       dstIP    count
1.1.1.1     2.2.2.2    15
            2.2.2.3     10
            2.3.4.3     10    
5.5.5.5     6.6.6.6     8
            7.7.7.7      8

I used like this status="failure" | stats count(dst) by src, dst, but I was unable to get distinct value of srcIP. Could you please advise me how to do that? Thanx in advance.

lguinn2 · ‎08-21-2013

There are a couple of ways to do this. Easiest:

status=failure | stats count by src, dst

It repeats the source IP on each line, though. This may also work:

status=failure 
| stats count by src, dst
| stats list(dst) as dstIP list(count) as count by src
| rename src as srcIP

This may look more like what you want. However, this version will not export in a useful way.

View solution in original post

lguinn2 · ‎08-21-2013

There are a couple of ways to do this. Easiest:

status=failure | stats count by src, dst

It repeats the source IP on each line, though. This may also work:

status=failure 
| stats count by src, dst
| stats list(dst) as dstIP list(count) as count by src
| rename src as srcIP

This may look more like what you want. However, this version will not export in a useful way.

happy035 · ‎08-21-2013

Appreciate for your perfect answer.
It works and much helpful to me.
Nice day.

group by srcIP and total count dstIP

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025

Are you a member of the Splunk Community?

group by srcIP and total count dstIP

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

What's New in Splunk Observability - October 2025