Splunk Search

How to edit my search to display a table of user IDs and IP addresses?

ronj_clark
Explorer

I have a search that searches for source IP addresses that hit a specific site. Then takes the source IP and “appends” that to the main search. I can get this to work producing raw data entries, but I want a table with the user ID and the IP address.

This produces raw events:

index="AD" OR index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full!="Online Storage*"  cs_url_host="www.privateinternetaccess.com" OR cs_url_host="hola.org" | fields src | dedup src ]

So where would the table statement go? I have tried at the very end outside the brackets, and before the opening bracket. None worked.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The syntax that you've here is not for appending the src to main search, but it is to filter the result from the main search so that only the matching src (I believe your main search also has a field called src) raw events are kept.

If above does give you the data you need, add the table to the end of the search. Note that you can only select the fields which are available in the main search.

index="AD" OR index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full!="Online Storage*"  cs_url_host="www.privateinternetaccess.com" OR cs_url_host="hola.org" | stats count by src | fields src ] | table src userfieldname
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...