Hello,
i'm using a query to find all traffic hitting a singe firewall rule.
it's something like this: host=fw_host_name rule_uid={uid} action=accept
i wanted to create a list of all sources, destinations and services(ports) with a count so i added | stats count by src dst service
The output i get is perfect for example the following row src:192.168.1.1 dst:8.8.8.8 service:22 count:71
but if i do the following search query over the same time: host=fw_host_name rule_uid={uid} action=accept src=192.168.1.1 dst=8.8.8.8 service=22 splunk returns 85 events.
so whats wrong with the stats count that it's not returning all events?
Thanks in advance for your help!
↧