Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to count different fields from different hosts?

dwear
Explorer
‎01-29-2016 08:37 AM

Pardon if this is easy, I just finished going through the Searching and Reporting class and am attempting to utilize what I learned in practice.

I'm attempting to correlate the number of malware events each endpoint on my network occurs over a given period. To do that, I need to count data from multiple hosts. The problem I'm running into, is the host identifies the endpoint in a different context in the log messages. In the logs, the victim endpoint might be identified as src=, dst= or dvc=. This is what I searched so far, but I don't know how to "count by" if the field is different. Thanks for any help. 

(host="10.128.16.45" src=*) OR (host=”10.128.16.71” dst=*)|stats count by ??? |sort -count
0 Karma
Reply

masonmorales
Influencer
‎01-29-2016 10:52 AM

Could you post some sample data and perhaps a mock-up of what you want the results to look at?

0 Karma
Reply

dwear
Explorer
‎01-29-2016 11:05 AM

Since I'm still new, I can't post a image of my logs but here is the generalization. 

Appliance A: Malware Alert src=10.128.36.100 dst=96.127.180.106

Appliance B: Malware Alert src=96.127.180.106 dst=10.128.36.100

In this example I only care about listing the internal IP's or anything with 10.128.36.*

If I only use one appliance it works perfectly. I do host="Appliance A" src=* |stats count by src |sort -count

The issue is since Appliance A and Appliance B have the 10.128.36 network in different fields, how to I count both those fields, without counting ALL src and ALL dst?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2016 09:54 AM

Use the coalesce command to combine the different fields into a new field.

(host="10.128.16.45" src=*) OR (host=”10.128.16.71” dst=*)| eval newField = coalesce(src, dst, svc) | stats count by newField |sort -count
---
If this reply helps you, Karma would be appreciated.
Reply

dwear
Explorer
‎01-29-2016 11:11 AM

Thanks! Since both src and dst are in almost all of my logs, wont coalesce collect ALL those values when I only really care about half of them? I only really care about whichever field contains the 10.128 network.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2016 11:28 AM

Yes, you are correct. That wasn't clear from your original posting. Here's another approach.

host=* | eval addr=case(cidrmatch("10.128.36/24",src),src,cidrmatch("10.128.36/24",dst),dst) | stats count by addr | sort - count
---
If this reply helps you, Karma would be appreciated.
Reply

dwear
Explorer
‎02-01-2016 11:55 AM

Awesome thanks Rich. Since I have numerous other, non relevant devices sending data to the same splunk instance, I had filtered it down some. It looks like its working correctly, can you just verify my syntax isn't over including or excluding anything?

host=10.128.16.71 OR host=10.128.16.45 | eval addr=case(cidrmatch("10.128/16",src),src,cidrmatch("10.128./16",dst),dst) | stats count by addr | sort - count

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2016 04:36 AM

There's an extra '.' in your second CIDR. Otherwise, it looks fine. Of course, I don't know your network configuration so I don't know if your CIDRs are correct.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...