Re: Search for different values in same field and ...

demopro · ‎10-30-2018

Hi,

I cannot figure out how to find 4 different IPs in one field and sum them from a list of many IP's. Example: In field called "IP" I am looking only for 4 different IP address say (10.1. , 172.210.2.* , 32.* and 112.32.*) and I would like to name each one say Fld1, Fld2, Fld3 and Fld4 and in each field have the total number of IP's that match the search.

Output:
Fld1 Fld2 Fld3 Fld4
1200 978 12 33

gaurav_maniar · ‎11-01-2018

Hi,

Append the following to your search query and it will give you the count by particular ips,

In 'case' command first argument will be comparison condition and second argument will be the true value for the condition and add other condition similarly.

| eval ips=case(ip_field=="ip_value", "some_value_if_true", ip_field=="ip_value", "some_value_if_true") | stats count by ip_field

Example,

| eval ips=case(terminal=="132.132.132.132", "132.132.132.132", terminal=="133.133.133.133", "133.133.133.133") | stats count by ips

--
| eval ips=case(terminal=="132.132.132.132", "Fld1", terminal=="133.133.133.133", "Fld2") | stats count by ips
Let me know if you have any queries.
If it solves your problem, please accept the answer.

demopro · ‎11-01-2018

Thank you. I believe this will work. Question for you. Will this work if I use a wildcard in the IP. Like trying to roll up IP by say a /16 or /24 subnets?

gaurav_maniar · ‎11-01-2018

Nope, 'case' command does not support wildcard, it will work for exact match. You can change it in the string like - "132.132.132.132/16"

if you want to capture count of all subnet 16, in that case 'match' command should be used with 'case'. You have
http://docs.splunk.com/Documentation/Splunk/7.2.0/SearchReference/ConditionalFunctions#match.28SUBJE...

eval ips = case(match(terminal, ".+/16"), "Fld1", match(terminal, ".+/24"),"Fld2")

Correction in my 1st answer, changed = to ==

demopro · ‎10-31-2018

Not sure how to do what you requested. I can only say that the file I am using is a Bro file the "bro_conn". The field I referred to is the ip.orig_h field. This file contains all connections made by IP, Port, Protocol and so forth.

msivill_splunk · ‎11-01-2018

I'm not familiar with Bro Files, any chance of providing some more cut down examples with incoming event data and expected outcomes?

msivill_splunk · ‎10-30-2018

Any chance of building a small test case using the makeresults command so people can try things out? Example of makeresults generating rows of data can be found on https://answers.splunk.com/answers/600683/i-want-to-diff-the-counts-before-and-after-a-certa.html

Example

 | makeresults count=10 
 | streamstats count as number, min(_time) as first_time 
 | eval _time = _time - (10-number) 
 | eval site_id = CASE(number=1,"A",number=2,"B",number=3,"B",number=4,"C",number=5,"A",number=6,"A",number=7,"C",number=8,"C",number=9,"C",number=10,"C") 
 | eval cut_off_time = first_time - 5
 | eval is_start_count = IF(_time < cut_off_time, "start_count", "current_count")

demopro · ‎10-31-2018

Not sure how to do what you requested. I am working with a Bro file, the bro_conn file and the field I want to work on is the ip.orig_h . This file contains all IP for any connection that it sees. The file has several fields dealing with connections (IP, Port, Protocal, Timestamps and so om).

I need a way to filter for 4 different IP's and sum them.

sheamus69 · ‎10-31-2018

Have you got a sample log entry you can share? Feel free to sanitise as needed.

Search for different values in same field and sum them

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!