- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can you limit events to the max numerical value of...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to limit my search results to events that contain the highest numerical value of a given field (vulnerability score) for each unique value of another field (ip address).
As events are created per vulnerability, there are multiple events with the same ip address but varying vulnerability scores. The goal here is to identify individual events for a given ip address / vulnerability score pair, and then populate a table containing other important field values unique to those events.
Sample Events:
IP: 1.2.3.4 Vulnerability Score: 100
IP: 1.2.3.4 Vulnerability Score: 200
IP: 1.2.3.4 Vulnerability Score: 300
IP: 1.2.3.5 Vulnerability Score: 100
IP: 1.2.3.5 Vulnerability Score: 200
IP: 1.2.3.5 Vulnerability Score: 300
I would like to limit my search to the following events:
IP: 1.2.3.5 Vulnerability Score: 300
IP: 1.2.3.4 Vulnerability Score: 300
How would I achieve this result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd use eventstats to apply the max() by IP address.
Here's some documentation about eventstats:
http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Eventstats
So let's say you have a base search that returns those events above, and you have already extracted the fields ip_address and vulnerability_score. Then here's how I'd do it:
base search | eventstats max(vulnerability_score) AS max_score BY ip_address | where vulnerability_score=max_score | fields - max_score
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd use eventstats to apply the max() by IP address.
Here's some documentation about eventstats:
http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Eventstats
So let's say you have a base search that returns those events above, and you have already extracted the fields ip_address and vulnerability_score. Then here's how I'd do it:
base search | eventstats max(vulnerability_score) AS max_score BY ip_address | where vulnerability_score=max_score | fields - max_score
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked perfectly for my needs. Thanks for the quick and detailed response!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad to help!
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
