12/12/2023 0 Comments Splunk stats count multiple fieldsThe choice of the right dataset and the diligence in preparing and analyzing it are pivotal for the success of data science and AI projects. In summary, datasets serve as the raw material for data-driven decision-making and machine learning. These collections of structured or unstructured data encompass a wide range of information, such as text, numbers, images, and more, gathered from various sources and domains. It looks something like this: Destination IPįor now, this is just a case of working through the sheet and rearranging the data into rows and columns that make more sense, but it’s something I may write some Python for in future, because it feels like it would be handy to have a script tucked away ready for when I need to do some analysis in a rush when investigating an incident.Datasets, in the realm of data science and machine learning, are the foundational building blocks for creating and training predictive models, conducting statistical analyses, and deriving meaningful insights from data. Unfortunately, asking Splunk to export an Excel file containing this data will give us an inconsistently space-delimited sheet that’s very difficult to use without some manual rearrangement. However, if we need to do any further analysis, Splunk throws us something of a curve ball. We have a clear view of which systems are being targeted and which services on those systems may be affected. That’s pretty useful to see what’s happening. The hyphen before the word list makes it descending.Īfter all of that, Splunk will give us something that looks like this: Destination IP This is achieved using Splunk’s sort function, which defaults to ascending order. sort -list(count)įinally, let’s sort our results so we can see what the most common destination IP addresses are. First we list by destination port, and then we list the event counts by destination IP, which leaves us with our (almost) final list of properly arranged destination IP addresses and ports. Now it’s time to arrange the results so we can see the counts on a per-IP basis. stats list(dest_port), list(count) by dest_ip We list the fields we want Splunk to return at the end of the function – here, I want to see the results by destination IP address and destination port. Next we run stats, which is Splunk’s aggregation function and allows us to generate various statistics from our data. In this case, I’m looking for all events that have the source IP 8.8.8.8, but this can be any search that returns the data you want to perform the other operations on. This is our base query, which works in much the same way as any standard search you’d run in Splunk. Let’s look in a little bit more detail at how that query is put together… src_ip=”8.8.8.8″ Stats list(dest_port), list(count) by dest_ip A query to retrieve that information and present it in a readable format would look like this: src_ip=”8.8.8.8″ Here’s what I pieced together to perform a count on a subset of events and group the data by two fields…Īs an example, let’s imagine that we’re investigating some incoming traffic from a certain IP address and want to see its targets according to destination IP and port. Splunk is a powerful tool, but with so many available functions and hit-and-miss coverage on forums it can sometimes take some trial and error to get queries right.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |