Hi All,
I have 2 searches of a log file to be merged as one. When I execute them separately, it is working. Please find below:
For File_Transfer:
source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | stats sum(bytes) as File_Transfer by src_ip | eval File_Transfer=File_Transfer." MB"
For Infrastructure:
source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85| stats sum(bytes) as Infrastructure by src_ip| eval Infrastructure =Infrastructure ." MB"
Can you please suggest a solution for this.
Thanks in Advance.
Regards,
Mahesh.
In your original question you gave this:
| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85
But in your comment, you said this:
For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255
Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?
Here is an untested example, and I'm totally changing your field names to make more sense.
source="F:Splunk_Log Files*" status="Allow"
| eval kb=recv_bytes/1024
| stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip
I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.
Hi Mahesh,
Something like following using stats with eval should work and it is preferable to use rename instead of eval for renaming fields.
source="F:Splunk_Log Files*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|stats sum(bytes) as File_Transfer sum(eval(if( Start>=1 AND End<=85,bytes,0))) as Infrastructure by src_ip| rename Infrastructure AS Infrastructure ." MB"| rename File_Transfer AS File_Transfer." MB"
Thanks,
Sanjay
In your original question you gave this:
| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85
But in your comment, you said this:
For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255
Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?
Here is an untested example, and I'm totally changing your field names to make more sense.
source="F:Splunk_Log Files*" status="Allow"
| eval kb=recv_bytes/1024
| stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip
I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.
do you need to view the output results in a single row or multiple rows?
I need values of "File_Transfer" and "Infrastructure" in multiple columns by "src_ip".
src_ip,dst_ip,recv_bytes,status are columns in my log file.
These are my sample values:
src_ip=192.0.0.0
dst_ip=223.255.255.255
recv_bytes=12432
status=Allow
For File_Transfer, I need sum(recv_bytes ) by src_ip
For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255
the output table should contain columns as File_Transfer,Infrastructure,src_ip.
Thanks,
Mahesh.