Hi,
I'm trying to to add a new field with constant value to my table.
The new field is "Action" when "B" is constant value. (Action=B)
The new field appears correctly in search, But, in the table the "B" value does not appear in the column.
My table syntax:
(index=ips) OR (index=waf msg!=NULL) | eval Action=case(suser=block,"B", 1==1,"B") | where src = src | chart count over src by index | iplocation src | table src, Country, ips, waf , Action | addtotals labelfield=Summary
Any ideas?
Thanks
Hi bugnet,
the problem is that the Action field isn't in the chart command so you should change your command.
I don't understand your search: what is your expectation?
In your chart command there is "by index" and in the table command index isn't present, can you explain better?
Bye.
Giuseppe
Hi bugnet,
the problem is that the Action field isn't in the chart command so you should change your command.
I don't understand your search: what is your expectation?
In your chart command there is "by index" and in the table command index isn't present, can you explain better?
Bye.
Giuseppe
Any ideas ?
Hi Hi bugnet,,
try something like this
(index=ips) OR (index=waf msg!=NULL)
| eval Action=case(suser=block,"B", 1==1,"B")
| where src = src
| iplocation src
| stats values(Action) AS Action count AS Summary by src, Country, security_device ips
| table src Country security_device ips Summary Action
| addtotals labelfield=Summary
Bye.
Giuseppe
Can you explain? Not working for me :"No results found"
Hi Hi bugnet,
This is an example, you have to adapt it to your situation: e.g.
| where src = src
surely you haven't results, probably you have to delete the full row;| eval Action="B"
instead you condition;Bye.
Giuseppe
I can not understand the next command:
| stats values(Action) AS Action count AS Summary by src, Country, security_device ips
Hi bugnet,
see http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Stats
every way:
it's important to insert values(X) because otherwise after stats command you only have the by clause fields.
Bye.
Giuseppe
Hi,
The table should shows number of attacks from each security device + summary, When the Action field should indicate whether the src address is already blocked.
src | Country | waf | IPS | Summary | Action
101.xxx.xxx.93 | China | 35 | 10 | 45 | B
51.xx.x.3 | US | 21 | 10 | 31 |