I'm trying to do a search that looks for a Tag and lists all tags by number of events but also shows the number of source IP address, destination IP addresses and other fields by count.
So far I have this
splunk_server="server" index="index" | top 500 tag, severity, source IP, dest ip, source port, dest port | fields - percent
Although table gives me info that I want I want the source ip, dest ip, source port, dest port fields\columns to show up as a count instead of the actual data so that each row is has a unique tag.
Can any one tell me how to do this?
Here's what it looks like so far
tag severity source ip dest ip source port dest port
SMB_Auth high 10.10.16.116 10.10.16.2 1840 445
TCP_Probe low 10.30.22.30 208.120.22.8 49826 6779
I actually want it to look like this:
tag severity source ip's dest ip's source ports dest ports
SMB_Auth high 200 4000 100 1
TCP_Probe low 10000 165 50 60
You could use the distinct count function of stats command, something similar to this:
splunk_server="server" index="index" | stats dc(source IP), dc(dest ip), dc(source port), dc(dest port) by tag
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/CommonStatsFunctions
Thnx every1
I think you are looks for stats distinct count
... | stats dc(source IP) as "source ip's" dc(dest ip) as "dest ip's" dc(dest port) as "dest ports" dc(source port) as "source ports" by tag
Woohoo we all go it!
Does stats give you the information you need ?
It feels like you're trying to get the number of unique values for each of source IP, dest IP, source port and dest port
splunk_server="server" index="index" | stats dc("source ip") as "source ips" dc("dest ip") as "dest ips" dc("source port") as "source ports" dc("dest port") as "dest ports" by tag severity
This will count the unique values of each per tag-severity combination.
You could use the distinct count function of stats command, something similar to this:
splunk_server="server" index="index" | stats dc(source IP), dc(dest ip), dc(source port), dc(dest port) by tag
http://docs.splunk.com/Documentation/Splunk/4.3.4/SearchReference/CommonStatsFunctions
Ahh, was able to after all.
Thnx man. I should have given u the link award points as you were first. This worked out well. Thanks a lot.