It has many commands, arguments, and functions that are difficult to remember when you need them most. In the end you get a list of the top IP addresses that had accessed LOTS of accounts, weighted heavily towards those where the accessed accounts were themselves accessed by a LOT of IP's. Article How to Use TOP and RARE Commands In Splunk Written by: The Kinney Group Team Last Updated: NovemOriginally Published: JI get it, SPL is a very wide language. What is the correct syntax to count the number of events containing a vendoraction field A. It's kind of a ridiculous field name, but for clarity I've called it "totalDistinctIPsAccessedByAccountsTheyAccessed" | stats count by ACCOUNT IP | eventstats dc(IP) as distinctIPs by ACCOUNT | stats count sum(distinctIPs) as totalDistinctIPsAccessedByAccountsTheyAccessed by IP | sort - totalDistinctIPsAccessedByAccountsTheyAccessed Difference between stats and eval commands Use. Then we treat this as a rough weighting, and we just add up the values for each IP. Commands: stats Use: Calculates aggregate statistics,such as average, count, and sum, over the results set. The distinctIPs value is the number of IP values that that row's ACCOUNT field was accessed by. Those are much simpler than what youre asking for obviously. likewise, stats dc (IP) by ACCOUNT.We then pipe these rows through eventStats so that each row will get a 'distinctIPs' field. For each IP, the number of ACCOUNT it accesses. Breaking down the following search in english, we take the unique combinations of ACCOUNT and IP (using stats). Those are much simpler than what you're asking for obviously. how do i see how many events per minute or per hour splunk is sending for specific sourcetypes i have i can not do an alltime real time search. i dont have access to any internal indexes. For each IP, the number of ACCOUNT it accesses. I am a regular user with access to a specific index.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |