Solved: group by srcIP and total count dstIP

happy035 · ‎08-21-2013

Hello, I'm trying to compose search, that will show me srcIP, dstIP, count by dstIP like this:

srcIP       dstIP    count
1.1.1.1     2.2.2.2    15
            2.2.2.3     10
            2.3.4.3     10    
5.5.5.5     6.6.6.6     8
            7.7.7.7      8

I used like this status="failure" | stats count(dst) by src, dst, but I was unable to get distinct value of srcIP. Could you please advise me how to do that? Thanx in advance.

lguinn2 · ‎08-21-2013

There are a couple of ways to do this. Easiest:

status=failure | stats count by src, dst

It repeats the source IP on each line, though. This may also work:

status=failure 
| stats count by src, dst
| stats list(dst) as dstIP list(count) as count by src
| rename src as srcIP

This may look more like what you want. However, this version will not export in a useful way.

View solution in original post

lguinn2 · ‎08-21-2013

There are a couple of ways to do this. Easiest:

status=failure | stats count by src, dst

It repeats the source IP on each line, though. This may also work:

status=failure 
| stats count by src, dst
| stats list(dst) as dstIP list(count) as count by src
| rename src as srcIP

This may look more like what you want. However, this version will not export in a useful way.

happy035 · ‎08-21-2013

Appreciate for your perfect answer.
It works and much helpful to me.
Nice day.

group by srcIP and total count dstIP

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...