Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append Eventtype to Top listing

EricPartington
Communicator
‎03-23-2011 02:30 AM

I have a listing of top denied connections that lists the src_ip, dest_ip, count for the top 10 denied connections that match an eventtype pattern (eventtype=UT*)

Each row in the table relates to a unique eventtype UT1234, UT2345, UT4567 ..etc

How can I have the output table of the top 10 denied connections show the eventtype (that matches a UT* pattern, there could be a few eventtypes that might match - eventtype=firewall-deny, eventtype=tivoli) for each row?

1.1.1.1 2.2.2.2 20 UT1234
1.1.1.2 2.2.2.3 19 UT2345
1.1.1.3 2.2.2.4 18 UT4567

THis feels like it should be some form of appending to the top command but I havent found the appropriate one yet.

Any ideas?

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:34 AM

Let me restate it and see if I get it? It sounds like you have a search like: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip

or maybe you're using the top command to do the same thing. (use stats, it's cooler)

<your search terms> eventtype=UT* | top src_ip, dest_ip

and each row in the resulting table happens to match a unique eventtype, but you want to know how to include the eventtype in the stats output.

But if that's the case, the answer is pretty easy so it seems unlikely: 

<your search terms> eventtype=UT* | stats count by src_ip, dest_ip, eventtype | sort - count

or if there's generally only one eventtype for each connection, but not always just one, you can play it safe and display the distinct values of eventtype like so: 

<your search terms> eventtype=UT* | stats count values(eventtype) as eventtype by src_ip, dest_ip | sort - count
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...