- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- show column as count
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to do a search that looks for a Tag and lists all tags by number of events but also shows the number of source IP address, destination IP addresses and other fields by count.
So far I have this
splunk_server="server" index="index" | top 500 tag, severity, source IP, dest ip, source port, dest port | fields - percent
Although table gives me info that I want I want the source ip, dest ip, source port, dest port fields\columns to show up as a count instead of the actual data so that each row is has a unique tag.
Can any one tell me how to do this?
Here's what it looks like so far
tag severity source ip dest ip source port dest port
SMB_Auth high 10.10.16.116 10.10.16.2 1840 445
TCP_Probe low 10.30.22.30 208.120.22.8 49826 6779
I actually want it to look like this:
tag severity source ip's dest ip's source ports dest ports
SMB_Auth high 200 4000 100 1
TCP_Probe low 10000 165 50 60
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the distinct count function of stats command, something similar to this:
splunk_server="server" index="index" | stats dc(source IP), dc(dest ip), dc(source port), dc(dest port) by tag
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/CommonStatsFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thnx every1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you are looks for stats distinct count
... | stats dc(source IP) as "source ip's" dc(dest ip) as "dest ip's" dc(dest port) as "dest ports" dc(source port) as "source ports" by tag
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Woohoo we all go it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does stats give you the information you need ?
It feels like you're trying to get the number of unique values for each of source IP, dest IP, source port and dest port
splunk_server="server" index="index" | stats dc("source ip") as "source ips" dc("dest ip") as "dest ips" dc("source port") as "source ports" dc("dest port") as "dest ports" by tag severity
This will count the unique values of each per tag-severity combination.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the distinct count function of stats command, something similar to this:
splunk_server="server" index="index" | stats dc(source IP), dc(dest ip), dc(source port), dc(dest port) by tag
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/CommonStatsFunctions
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh, was able to after all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thnx man. I should have given u the link award points as you were first. This worked out well. Thanks a lot.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
