Reputation: 5
how to group out different ip address and count their total numbers in Splunk
Hello Splunk network developers
source="logfile" host="whatever" sourcetye="snort" | search "ip server"
Gives all events related to particular ip address, but I would like to group my destination ipaddresses and count their totals based on different groups.
Ex
COUNT SCR IP DST IP
100 192.168.10.1:23 -> 4.4.4.4
20 192.168.10.1:23 -> 5.5.5.5
10 192.168.10.1:23 -> 6.6.6.6
I have uploaded my log file and it was not able to really recognize the host and source ip address. With this particular situation, if you can help me to add ways to group different dst adds and count them. I would be really happy.
However, if you can help me to upload the log file that can recognize the source and host ipaddress that would be easier for me, but please help me to give me your instruction if you happen to know.
Upvotes: 0
Views: 1838
Answers (1)
Reputation: 33453
This is going to come down to you how you group your stats calls:
| stats count(src_ip) by dst_ip
will be different from
| stats count(dst_ip) by src_ip
will be different from
| stats count by dst_ip src_ip
will be different from
| stats count by src_ip dst_ip
What are you actually trying to accomplish?
Upvotes: 0
Related Questions
- Splunk query to find previous requests from different ip
- Splunk query - Total or Count by field
- Splunk group by request url count
- Count and sum in splunk
- How to write Splunk query to get first and last request time for each sources along with each source counts in a table output
- Splunk: count by Id
- Splunk: Group by certain entry in log file
- Sum of count with Splunk
- Splunk count 2 different fields with two different group by without displaying them
- How to count results in Splunk and put them in a table?