Hello Splunk network developers
source="logfile" host="whatever" sourcetye="snort" | search "ip server"
Gives all events related to particular ip address, but I would like to group my destination ipaddresses and count their totals based on different groups.
Ex
COUNT SCR IP DST IP
100 192.168.10.1:23 -> 4.4.4.4
20 192.168.10.1:23 -> 5.5.5.5
10 192.168.10.1:23 -> 6.6.6.6
I have uploaded my log file and it was not able to really recognize the host and source ip address. With this particular situation, if you can help me to add ways to group different dst adds and count them. I would be really happy.
However, if you can help me to upload the log file that can recognize the source and host ipaddress that would be easier for me, but please help me to give me your instruction if you happen to know.
enter image description here
This is going to come down to you how you group your stats calls:
| stats count(src_ip) by dst_ip
will be different from
| stats count(dst_ip) by src_ip
will be different from
| stats count by dst_ip src_ip
will be different from
| stats count by src_ip dst_ip
What are you actually trying to accomplish?
Related
I'm trying to monitor performance/metrics of my application as an external system is going through a heavy data ingest. Currently, I can easily watch one endpoint using the following
index=my_index environment=prod service=myservice api/myApi1 USER=user1 earliest=07/19/2021:12:00:00 | stats count by RESPONSECODE
How can I adjust this query to include the additional endpoints I'd like to monitor? Ultimately I'd like a pie chart showing the total numbers of successes and failures across this API for the user.
Thanks all!
Edit: In the above query, api/myApi1 is the field I'm referring to. How can I include additional api/myApi# endpoints properly?
Include additional endpoints by adding them to the base query or by making the base query less specific.
index=my_index environment=prod service=myservice api/myApi1 USER IN (user1 user2 user3) earliest=07/19/2021:12:00:00
| stats count by USER, RESPONSECODE
OR
index=my_index environment=prod service=myservice api/myApi1 USER=* earliest=07/19/2021:12:00:00
| stats count by USER, RESPONSECODE
I have the following | stats count by HOST, USER, COMMAND | table HOST USER COMMAND count and it gives me a list of what I expect, but I can't seem to figure out how to consolidate HOST and USER and just count how many commands there were so it's just one row.
I'm pretty sure I'm supposed to use list in some way but my results still don't seem to consolidate correctly. Any clues?
I'm trying like this:
stats list(HOST) as HOST list(USER) as USER count(COMMAND) list(count) as count by COMMAND
Try this:
| stats values(COMMAND) as COMMAND by HOST USER
I have 5 different searches I am doing in Splunk where I am getting the count of how many results from that search query.
I've had a look at this thread here:
https://answers.splunk.com/answers/757081/pie-chart-with-count-from-different-search-criteri.html
but its not quite working for me, I'm not 100% sure if its what I want.
My search queries all look something like this:
index=A variable="foo" message="Created*" | stats count
index=A variable="foo" message="Deleted*" | stats count
I ideally want to assign each query to a keyword - such as created, deleted, etc, then do a pie chart based on the counts.
The following should be sufficient.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | stats count by message
If you can provide some more examples of the events you are trying to chart, there may be alternate approaches that can work for you.
This version will extract the key part of the message (Created, Deleted. etc...) into a field called mtype and you can then perform stats on that field.
index=A variable="foo" message="Created*" OR message="Deleted*" OR message="<repeat this for any other message types you want>" | rex field=message "(?<mtype>Created|Deleteted|...)" | stats count by mtype
I have been using Splunk as a log monitoring tool but recently got to know that we will get network traffic and number of hits per URL.
For example, I have a URL like the one below and I want to know the total number of hits that occurred over the last week:
https://stackoverflow.com/
What would be the query that I need to write to get the number of hits (count) per day/period of time in Splunk?
I tried this:
"url" | stats sum(linecount) as Total
which is returning >1000 hits count for the last 15 minutes, which is not correct.
Thanks in advance.
It would be quick and accurate when you mention index, host and site names.
index name = environment of the application like SIT/UAT/QA/pre-prod/production
host name = In which instance application is hosted
site name = in my example it will be https://stackoverflow.com
Query = index="SIT*" host="*host_name*" "https://stackoverflow.com" "/questions" | stats sum(linecount) as Total
by executing above query I can get number of hits for stackoverflow.com/questions url.
The above query has given accurate results and in splunk we do have drop down option to select period of time.
Try one of these queries to return the total number of hits:
"url" | stats count
Or:
"url" | stats sum(count) as total
Hi This below query is one of good example to get the site requests
index="bcom" "https://www.bloomingdales.com/" | stats sum(linecount) as Total
#Ravindra'S
I am looking to see how many servers are reporting into splunk over time. This is a query similar to the one I have tried:
sourcetype=defined | dedup host | timechart count by pop
What is happening is the host gets deduped before the time chart (obviously) so I'm not exactly getting the results I'm looking for.
How can I deduplicate the server list per time slice in the timechart?
Please let me know if further clarification is necessary.
Looks like the option I was looking for was the distinct_count function for charts. This is the final query that is returning results that I am looking for:
sourcetype=defined | timechart dc(host) by pop