- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my search to return a certain field ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I edit my search to return a certain field value in my table of results?
Hi,
I'm trying to return some results with the AppID that is being searched. My current search does everything I want except return the appID that is being searched. My search and results are below. Any help with constructing the proper search would be greatly appreciated.
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", application as "AppID"
Results:
UniqueSrcIP UniqueDstIP UniqueSrcPort UniqueDstPort ComboIPs Sent Rec AppID
19 22 74 2 40 14545060 534759637
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here's how to get the tabled results sorted by application
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by application | sort by application
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting how the query I gave works when the application field is not renamed.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) AS "AppID"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm surprised the query works without a function around the application field. Try this
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | rename application AS AppID | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID
or
index=index1 sourcetype=traffic application=app1 action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec", values(application) as "AppID"
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because wrong answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
including the rename still doesn't work. Neither of the methods you've described work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the "by AppID" gives me an error, The query looks like the comment above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The rename command is missing.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help. I pretty much have the result I need. I just need my results to be sorted based on AppID rather than aggregating the results from all appID's. Could you help me with that? Do I use a "by AppID"?
index=index1 sourcetype=traffic application=ssh OR ping action=allow earliest_time=-1d latest_time=now() | eval ComboIP=Src_IP."-".Dst_IP | stats values(application) as "AppID", dc(Src_IP) AS UniqueSrcIP, dc(Dst_IP) AS UniqueDstIP, dc(Src_Port) AS UniqueSrcPort, dc(Dst_Port) AS UniqueDstPort, dc(ComboIP) AS ComboIPs, sum(bytes_sent) AS "Sent", sum(bytes_received) AS "Rec" by AppID
AppID UniqueSrcIP UniqueDstIP UniqueSrcPort UniqueDstPort ComboIPs Sent Rec
"ping ssh"3447 68267 5921 6 73211 13690286344 1079036067
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The "by AppID" clause will display the results based on AppID rather than aggregating them.
If this reply helps you, Karma would be appreciated.
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
