Alright this may seem like a trivial question for some of you Splunkers. I'm new at this:
I'm trying to get the results of a top (n) inside_port for multiple inside_ip.
search string:
inside_ip=xxx.xxx.223.221 OR inside_ip=xxx.xxx.220.224 | top 5 inside_port
results returned:
inside_ip | inside_port | count | percent
223.221 | 22,80,443 | 6,3,1 | 60,30,10
220.224 | 443,3389,22 | 12,6,2 | 60,30,10
or alternative results:
inside_ip | inside_port | count | percent
223.221 | 22 | 6 | 60
223.221 | 80 | 3 | 30
would "top 5 inside_port by inside_ip" get you what your looking for?
Could you post a _raw sanitized sample?
would "top 5 inside_port by inside_ip" get you what your looking for?
lol! Just check out docs.splunk, it's not 1/2 as bad as other product doco i've used in the past as it provides decent examples to better explain some of the concepts behind the actual commands.
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/Top
This worked perfectly! I don't know who you are, or where you came from, but I owe you a gift! This is going to work perfect, and probably kill the server hahaha!