Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

group ports by IP

curtgran
Explorer
‎04-24-2012 12:58 PM

Hi,

I'm hoping this is trivial but I've searched and can't really find the answer.

I'm searching TCP connections and would like to have a list of all the IP addresses and what ports they have used. A sample would look like this:

10.1.1.1 21 22 23 80 8080

I don't care how the ports are grouped but I would like them all on the line with the IP address if possible.

Thanks for any help on this one.

Curt

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎04-24-2012 01:10 PM

Not strictly on one line, but each IP along with a list of the port it's used:

... | stats values(dest_port) by src_ip

(assuming your port field is dest_port and the host field is src_ip.)

View solution in original post

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎04-24-2012 01:15 PM

I might try something with stats, e.g. <search> ... | stats list(port) as portlist by ip | table ip, portlist

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎04-24-2012 01:10 PM

Not strictly on one line, but each IP along with a list of the port it's used:

... | stats values(dest_port) by src_ip

(assuming your port field is dest_port and the host field is src_ip.)

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...