Just add the 3rd values() function into your original stats command, and there you go.įirstly, great input from badideas1 (stats) and shifty21 (transaction) But honestly I don't think you need to go as far as any of this subsearch stuff. However, if you absolutely wanted a separate organization between the two result sets, appendcols would likely work instead. Maybe that? Sort of getting two result sets simultaneously? Syntax might be a bit off there as I'm writing it in my headĮdit: remembering that syntactically appendpipe still requires all of the fields/columns it runs the stats command on to be present in the table already, so the second example probably won't work as is. Index=sslvpn session_id=*| stats values(username) as users, values(geo_country) as countries by session_id | where isnotnull(username)| appendpipe I think all you really need would be to still use by session_id to split up your initial stats table, but you're welcome to also grab all the src_ip values you want in the same original table, if that's the extra stuff you want:index=sslvpn session_id=*| stats values(username) as users, values(geo_country) as countries, values(src_ip) as IPs by session_idOr if you want sort of one table that gives you the filter on username, and then another that is mapping src_ip to session_id regardless of if there's a username, that's fine too: As it is, I'm not sure I follow- I'm not seeing the need for eval at all in this case, or what this second search is supposed to return that we don't already have in the first. If that's true, then let me know and I can rethink about the content of your followup question here. Just to be clear, "lookup" has a specific meaning in Splunk.are you using it as a substitute for "search"? If so, stop =). In terms of the thing you're trying to get out of all of this though I don't know that a lookup is strictly necessary here. Sure, I mean there's lots of ways to do that really, but you could do it as simply as |lookup $lookupTableName session_id (as common value) OUTPUTNEW $whateverFieldsYouWantToPullFromTheLookup. Now what i'd like to do is just get results that include the username and country code associated with every unique session_id and i'm just falling apart here. The s_user field is just so the resulting table will also include the username. | table _time,s_user,session_id, geo_country, src_ip I managed to get this query together that allows you to search for records for a specific user: index=sslvpn geo_country=* But there are *no* events that contain the geo_country, username, and session_id field. Some events contain a geo_country field with a value, and some events contain a username field with a value. Every event has a session_id field with a value. I'm good at powershell, and OK at KQL, but I'm having a hard time even coming up with the right terms to search for to get help on this Splunk query.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |