- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Understanding command in search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
I need help understanding the search command.
I tried to read documents and still did not understand.
I would be happy to receive an explanation and not a link to study commands.
The commands is:
- sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
-sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Actio
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid
BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.
| - output of before | acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined - this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values
rename action as Action - it will rename action field as Action
I hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to do a similar search as above but I never can reach the blocked or potentially blocked data?
index="linuxeventlog" source="/var/log/illumio-pce/agent_traffic.log" host="*" sourcetype=agent_traffic blocked/potentially_blocked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @davidsplunk100
1) sourcetype=cisco_wsa_squid BLOCK | stats values(x_webroot_threat_name) as "Threat Name"
sourcetype=cisco_wsa_squid- this will retrive events from cisco_wsa_squid
BLOCK - you will get all the events from sourcetype=cisco_wsa_squid that contains BLOCK keyword.
| - output of before | acts as a input to after pipe i.e. your stats command
stats values(x_webroot_threat_name) as "Threat Name - The stats command calculates statistics based on fields in your events. It will give you all the threat names that contain BLOCK keyword in logs.
2) sourcetype=access_combined | stats count(action) as "Total Events" avg(price) as "Average Price"
sum(price) as "Total Amount" by action | rename action as Action
sourcetype=access_combined - this will retrive events from access_combined
stats count(action) as "Total Events" avg(price) as "Average Price" sum(price) as "Total Amount" by action - it will give you the total count of action field average price and sum of price from the retrived events of access_combined distributed by action values
rename action as Action - it will rename action field as Action
I hope this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect... Really Good.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
