Hi there, when I run this search:
index=* source=stream:Splunk_IP | rex field=src_ip "(?<src1>.*)\.(?<src2>.*)\.(?<src3>.*)\.(?<src4>.*)" | where src1 NOT null | rex field=dest_ip "(?<dest1>.*)\.(?<dest2>.*)\.(?<dest3>.*)\.(?<dest4>.*)" | where dest1 NOT null | eval source_ip=round(src1+exact(src2*.001), 3) | eval destination_ip=round(dest1+exact(dest2*.001), 3) | eventstats sum(sum(bytes)) as bytes by source_ip, destination_ip | stats latest(source_ip), latest(destination_ip), sum(count) by bytes | rename latest(source_ip) as "Source IP", latest(destination_ip) as "Destination IP", sum(count) as "Flows", bytes as "Bytes", sourcetype as "Sourcetype"
It produces this result:
As you'll notice the other half of source and destination ipaddresses are missing.
Is this: ????
Because the flow data doesn't arrive properly in SPLUNK
The stream app needs more configuring
Search syntax is wrong
I'd highly appreciate an answer on this.
Thanks in advance!
Erik
... View more