Reporting

Combine Field Values within Top Search

rackersmt
Explorer

Hello,

I currently have a saved search. The command is as follows:

rt_idp (source_address=[ip range]) | top limit=100 source_address, attack_name, threat_severity, source_zone_name, destination_zone_name |  lookup dnsLookup ip as source_address | sort threat_severity, source_address

I'd like to add destination_address as one of the values reported, but if I add the field to the 'top' command, I get multiple lines for each source_address, one per dest. I'm wanting just one line per source, with perhaps the top destination, it's DNS name, and the percentage of attacks from the source that were directed at said top destination.

Anyone know how to accomplish this?

Tags (2)
0 Karma

rackersmt
Explorer

I ended up finding a solution. Thought I'd share:

rt_idp (source_address=[ip range]) | top 100 source_address, destination_address, attack_name, threat_severity, source_zone_name, destination_zone_name | lookup dnsLookup ip as source_address | rename host as src_dns | mvcombine destination_address | eval dst_count=mvcount(destination_address) | eval sample_dst_addr=mvindex(destination_address,0) | lookup dnsLookup ip as sample_dst_addr | rename host as sample_dst_dns | sort threat_severity, source_address | table threat_severity, attack_name, source_address, src_dns, source_zone_name, destination_zone_name, dst_count, sample_dst_addr, sample_dst_dns
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...