Solved: How to combine my two searches in Splunk?

Maheshparsi · ‎07-14-2015

Hi All,

I have 2 searches of a log file to be merged as one. When I execute them separately, it is working. Please find below:

For File_Transfer:

source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | stats sum(bytes)  as File_Transfer by src_ip | eval File_Transfer=File_Transfer." MB"

For Infrastructure:

source="F:\\Splunk_Log Files\\*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2)  | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85| stats sum(bytes)  as Infrastructure by src_ip| eval Infrastructure =Infrastructure ." MB"

Can you please suggest a solution for this.

Thanks in Advance.

Regards,
Mahesh.

jacobwilkins · ‎07-14-2015

In your original question you gave this:

| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85

But in your comment, you said this:

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?

Here is an untested example, and I'm totally changing your field names to make more sense.

source="F:Splunk_Log Files*" status="Allow" 
 | eval kb=recv_bytes/1024
 | stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip

I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.

View solution in original post

sanjay_shrestha · ‎07-14-2015

Hi Mahesh,

Something like following using stats with eval should work and it is preferable to use rename instead of eval for renaming fields.

source="F:Splunk_Log Files*" status="Allow" | eval bytes=round(((recv_bytes)/1024),2) | eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|stats sum(bytes) as File_Transfer  sum(eval(if( Start>=1 AND End<=85,bytes,0))) as Infrastructure by src_ip| rename Infrastructure  AS Infrastructure ." MB"| rename File_Transfer AS File_Transfer." MB"

Thanks,
Sanjay

jacobwilkins · ‎07-14-2015

In your original question you gave this:

| eval Start=substr(dst_ip, 1, 3)| eval End=substr(dst_ip, 1, 3 )|where Start>=1 and End<=85

But in your comment, you said this:

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

Is "dst_ip" or "src_ip" your criteria for being "Infrastructure"? If it is "src_ip", are you sure you are getting the result you want while also using "src_ip" in the "by" clause?

Here is an untested example, and I'm totally changing your field names to make more sense.

source="F:Splunk_Log Files*" status="Allow" 
 | eval kb=recv_bytes/1024
 | stats sum(kb) AS Total_KB, sum(eval(if(cidrmatch("192.0.0.0/3",dst_ip),kb,0)) AS Infrastructure_KB by src_ip

I've never actually tested cidrmatch with a /3, or anything smaller than a /8. It should work.

koshyk · ‎07-14-2015

do you need to view the output results in a single row or multiple rows?

Maheshparsi · ‎07-14-2015

I need values of "File_Transfer" and "Infrastructure" in multiple columns by "src_ip".
src_ip,dst_ip,recv_bytes,status are columns in my log file.

These are my sample values:

src_ip=192.0.0.0
dst_ip=223.255.255.255
recv_bytes=12432
status=Allow

For File_Transfer, I need sum(recv_bytes ) by src_ip

For Infrastructure, I need sum(recv_bytes) by src_ip where src_ip ranges from 192.0.0.0 to 223.255.255.255

the output table should contain columns as File_Transfer,Infrastructure,src_ip.

Thanks,
Mahesh.

How to combine my two searches in Splunk?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio