Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my tstats search with inputlookup to r...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal
Explorer
12-05-2016
11:17 PM
Hi All,
Need your help to refine this search.
Currently in the search, we are using the tstats command along with inputlookup to compare the blacklisted IP's with firewall IP's. Below is the search
| tstats `summariesonly` dc(All_Traffic.dest) as dest_count from datamodel=Network_Traffic where All_Traffic.src_zone=outside by All_Traffic.src | search [| inputlookup commonBlacklistIp.csv | search "Confidence Level"=high| rename Ip as All_Traffic.src | fields All_Traffic.src ]| rename dest_count as "Unique Destination IP" All_Traffic.src as "Blacklisted IP" | sort -"Unique Destination IP"
This search is working fine and we are getting the output Matched IP along with Count.
Now in our commonBlacklistIp.csv file, there are other fields like Severity and Confidence columns also. Once it matches the file, we need Matched IP , Severity IP , Confidence IP , Count in columns .
Hope you guys understand my question.
Do let me know if you guys have any questions for me.
Thank in advance 🙂
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
12-06-2016
07:11 AM
You need the lookup command. Try it like this
| tstats `summariesonly` dc(All_Traffic.dest) as dest_count from datamodel=Network_Traffic where All_Traffic.src_zone=outside by All_Traffic.src | lookup commonBlacklistIp.csv ip AS "All_Traffic.src" OUTPUT "Matched IP" "Severity IP" "Confidence Level" | search "Confidence Level"=high | rename dest_count as "Unique Destination IP" All_Traffic.src as "Blacklisted IP" | sort -"Unique Destination IP"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
12-06-2016
07:11 AM
You need the lookup command. Try it like this
| tstats `summariesonly` dc(All_Traffic.dest) as dest_count from datamodel=Network_Traffic where All_Traffic.src_zone=outside by All_Traffic.src | lookup commonBlacklistIp.csv ip AS "All_Traffic.src" OUTPUT "Matched IP" "Severity IP" "Confidence Level" | search "Confidence Level"=high | rename dest_count as "Unique Destination IP" All_Traffic.src as "Blacklisted IP" | sort -"Unique Destination IP"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal
Explorer
12-07-2016
01:19 AM
Thanks ...................
Get Updates on the Splunk Community!
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
Introducing the 2024 Splunk MVPs!
We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...
Splunk Custom Visualizations App End of Life
The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...
