Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why does the _time value keeps coming up blank...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jon_d_irish_ctr
Path Finder
05-16-2018
06:13 AM
Hello,
I have the following search string, but "_time" keeps coming up blank. It appears that something is "clearing" it, but I can't figur eout what.
sourcetype=cisco:asa dest_ip="xxx.xxx.0.0/16" NOT "Failover primary closed" | stats count by src_ip,dest_ip | eval Connections = count | iplocation src_ip | where Country = "China" OR Country = "Iran" OR Country = "Iraq" OR Country = "Russia" OR Country = "Brazil" OR Country = "North Korea" | lookup dnsLookup ip as src_ip | eval ExtFQDN=if(isnotnull(host),host,src_ip) | eval ExtIPCity=if(City="","Not available",City) | eval ExtIPRegion=if(Region="","Not available",Region) | table Country ExtIPRegion ExtIPCity src_ip ExtFQDN dest_ip Connections _time | dedup src_ip dest_ip
Thanks,
Jon
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-16-2018
06:30 AM
@jon.d.irish.ctr, try the following search. Change the span (which is 1m) as per time aggregation that you need.
sourcetype=cisco:asa dest_ip="xxx.xxx.0.0/16" NOT "Failover primary closed"
| bin _time span=1m
| stats count by src_ip,dest_ip,_time
| eval Connections = count
| iplocation src_ip
| where Country = "China" OR Country = "Iran" OR Country = "Iraq" OR Country = "Russia" OR Country = "Brazil" OR Country = "North Korea"
| lookup dnsLookup ip as src_ip
| eval ExtFQDN=if(isnotnull(host),host,src_ip)
| eval ExtIPCity=if(City="","Not available",City)
| eval ExtIPRegion=if(Region="","Not available",Region)
| table Country ExtIPRegion ExtIPCity src_ip ExtFQDN dest_ip Connections _time
| dedup src_ip dest_ip
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jon_d_irish_ctr
Path Finder
05-16-2018
11:26 AM
Thanks for the comments everyone! I did get it working using nikenilay's example.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
05-16-2018
06:30 AM
@jon.d.irish.ctr, try the following search. Change the span (which is 1m) as per time aggregation that you need.
sourcetype=cisco:asa dest_ip="xxx.xxx.0.0/16" NOT "Failover primary closed"
| bin _time span=1m
| stats count by src_ip,dest_ip,_time
| eval Connections = count
| iplocation src_ip
| where Country = "China" OR Country = "Iran" OR Country = "Iraq" OR Country = "Russia" OR Country = "Brazil" OR Country = "North Korea"
| lookup dnsLookup ip as src_ip
| eval ExtFQDN=if(isnotnull(host),host,src_ip)
| eval ExtIPCity=if(City="","Not available",City)
| eval ExtIPRegion=if(Region="","Not available",Region)
| table Country ExtIPRegion ExtIPCity src_ip ExtFQDN dest_ip Connections _time
| dedup src_ip dest_ip
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
elliotproebstel
Champion
05-16-2018
06:28 AM
After this part of your query:
| stats count by src_ip,dest_ip
you will be left with three fields: count, src_ip, and dest_ip. If you want _time to persist through this part of the query, you'll need to restructure it somehow. Given that you're trying to count by src_ip and dest_ip but want to retain timestamps, you might find it helpful to do this instead:
| eventstats count by src_ip,dest_ip
| fields src_ip dest_ip _time count
...
That will retain the _time field and also narrow down the fields to the four you need - the three you had before, plus _time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
knielsen
Contributor
05-16-2018
06:23 AM
You are clearing it here: | stats count by src_ip,dest_ip - after that, you only have count, src_ip and dest_ip
Regards,
-Kai.
Get Updates on the Splunk Community!
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
Tuesday, May 14, 2024 | 11AM PT / 2PM ET
Register to Attend
Join us for this Tech Talk and learn how to ...
.conf24 | Personalize your .conf experience with Learning Paths!
Personalize your .conf24 Experience
Learning paths allow you to level up your skill sets and dive deeper ...
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...
