Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using multiple values in a sub search to filter the main search?

dennywebb
Path Finder
‎04-24-2013 03:35 PM

I have an index of data traffic across the network. I am able to select a list of the "top 10" IP addresses by IP and want to show a table of IP/PORT/IP-PORT DATA USAGE for only those top 10.

If I do the stats then try a sort+head i get the top 10 IP-PORT instead of the top 10 IP.

Example:
If I only wanted top 2 (to keep it simple) then from the data:

ip        bytes   port
-----------------------------
1.1.1.1, 1000023, 80
1.1.1.1, 43243,   443
2.2.2.2, 1000025, 3493
3.3.3.3, 1000026, 5542
4.4.4.4, 1000027, 3332

I would get results for 4.4.4.4 and 3.3.3.3.... because stats sum(bytes) by ip, port is not merging the sum of bytes for the two 1.1.1.1 entries.

Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-24-2013 06:19 PM

Let me try and restate, to make sure I have it right -- You want to get a table showing IP, Port, and total bytes from that IP+Port combination, but you only want the IP's in the table to be from the 10 IP's that have the highest overall total bytes.

Easiest way is probably as follows, and doesn't need a subsearch: 

<your searchterms> | stats sum(bytes) as bytes by ip port | streamstats sum(bytes) as totalBytesForThisIP by ip | sort - totalBytesForThisIP | head 10

If you want to use a subsearch you certainly can, but it's a lot more efficient to do the other version above. The subsearch solution would look like: 

<your searchterms> [search <your searchterms> | stats sum(bytes) as bytes by ip | sort - bytes | fields ip] | stats sum(bytes) as bytes by ip port

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎04-24-2013 06:19 PM

Let me try and restate, to make sure I have it right -- You want to get a table showing IP, Port, and total bytes from that IP+Port combination, but you only want the IP's in the table to be from the 10 IP's that have the highest overall total bytes.

Easiest way is probably as follows, and doesn't need a subsearch: 

<your searchterms> | stats sum(bytes) as bytes by ip port | streamstats sum(bytes) as totalBytesForThisIP by ip | sort - totalBytesForThisIP | head 10

If you want to use a subsearch you certainly can, but it's a lot more efficient to do the other version above. The subsearch solution would look like: 

<your searchterms> [search <your searchterms> | stats sum(bytes) as bytes by ip | sort - bytes | fields ip] | stats sum(bytes) as bytes by ip port
Reply
Solved! Jump to solution

dennywebb
Path Finder
‎04-24-2013 09:19 PM

streamstats was the key i was looking for, thanks!

however good to know about the subsearch as well, i had assumed using it in that way would only work for single values, not a set of records.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...