Any ideas ?

Hi Hi bugnet,,
try something like this

(index=ips) OR (index=waf msg!=NULL) 
| eval Action=case(suser=block,"B", 1==1,"B") 
| where src = src 
| iplocation src 
| stats values(Action) AS Action count AS Summary by src, Country, security_device ips
| table src Country security_device ips Summary Action
| addtotals labelfield=Summary

Bye.
Giuseppe

Can you explain? Not working for me :"No results found"

Hi Hi bugnet,
This is an example, you have to adapt it to your situation: e.g.

• src probably is an IP address, if you insert | where src = src surely you haven't results, probably you have to delete the full row;
• your eval condition has always "B" as value, in this case you can simply use | eval Action="B" instead you condition;
• I don't know if "ips" is a search key, you inserted it in your starting example and I used it but I don't know what is, and so on.

Bye.
Giuseppe

I can not understand the next command:
| stats values(Action) AS Action count AS Summary by src, Country, security_device ips

Hi bugnet,
see http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Stats
every way:

• by-clause are the names of one or more fields to group by;
• values(X) returns the list of all distinct values of the field X as a multivalue entry.

it's important to insert values(X) because otherwise after stats command you only have the by clause fields.

Bye.
Giuseppe

Hi,

The table should shows number of attacks from each security device + summary, When the Action field should indicate whether the src address is already blocked.

src | Country | waf | IPS | Summary | Action
101.xxx.xxx.93 | China | 35 | 10 | 45 | B
51.xx.x.3 | US | 21 | 10 | 31 |