Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Joining two fields based on matching value to two other fields.

jwinderDDS
Path Finder
‎01-08-2015 07:45 AM

I am trying to create a top bandwidth users report from the RT_FLOW_SESSION_CLOSE data coming from our Juniper SRX. A sample event looks like:

Jan  8 10:03:42 fw-columbus01 1 2015-01-08T10:03:41.446-05:00 fw-columbus01 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.39 reason="idle Timeout" source-address="172.16.0.10" source-port="61968" destination-address="8.8.8.8" destination-port="53" service-name="junos-dns-udp" nat-source-address="xxx.xxx.xxx.xxx" nat-source-port="4995" nat-destination-address="8.8.8.8" nat-destination-port="53" src-nat-rule-name="default" dst-nat-rule-name="None" protocol-id="17" policy-name="default-permit" source-zone-name="trust" destination-zone-name="untrust" session-id-32="23014" packets-from-client="1" bytes-from-client="72" packets-from-server="1" bytes-from-server="144" elapsed-time="4" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" roles="N/A" packet-incoming-interface="ge-0/0/0.0" encrypted="UNKNOWN"]

The problem I am running into is, these event records are for both sides of the flow conversation. In order to figure out the total bytes send by 172.16.0.10, not only do I have to sum(bytes_from_client) by source-address where 172.16.0.10 is the source, but I also need to sum(bytes_from_server) by destination_address where 172.16.0.10 is the destination. Now of course I would like a table with any IP addresses seen and total bytes sent, not just a single one.

Any guidance will be greatly appreciated!

Jeremy

0 Karma
Reply

lguinn2
Legend
‎01-08-2015 03:14 PM

Try this

yoursearchhere
| stats sum(bytes_from_client) as bytes_client sum(bytes_from_server) as bytes_server by source-address destination-address

as a starting point

Then, you can do this:

yoursearchhere
| stats sum(bytes_from_client) as bytes_client by source-address 
| rename source-address as IP
| join IP [ search yoursearchhere
    | stats sum(bytes_from_server) as bytes_server by destination-address
    | rename destination-address as IP ]
| table IP bytes_client bytes_server

The second search will probably take approximately twice as long to run...

0 Karma
Reply

jwinderDDS
Path Finder
‎01-09-2015 08:05 AM

Iguinn,

I appreciate the response. Based on your recommendation I managed to get closer to my desired report. My current search command is:

`srx_traffic` | stats sum(bytes_from_server) as bytes_server by destination_address | rename destination_address AS IP | join type=outer IP [ search `srx_traffic` | stats sum(bytes_from_client) as bytes_client by source_address | rename source_address AS IP] | fillnull value=0 bytes_client bytes_server | eval bytes='bytes_client'+'bytes_server' |  sort -bytes | table IP bytes

The current problem is it doesn't work with realtime searches.

Thank you again!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...