https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288505#M34347 <P>Note that the search (before the first "|") resolves to <CODE>index=infrastructure 10 AND 120 AND 213 AND 29</CODE>, because the '.' is a minor segmenter, so it breaks up the IP address into four individual terms. Hence, it may not retrieve exactly what you need. (You can see the search being executed in the search.log, found in the Job Inspector, if you search for "Lispy")<BR /> Example:<BR /> 08-24-2017 01:18:18.579 INFO UnifiedSearch - Expanded index search = ( index=infrastructure 10.120.213.29 )<BR /> 08-24-2017 01:18:18.580 INFO UnifiedSearch - base lispy: <STRONG>[ AND 10 120 213 29 index::infrastructure ]</STRONG></P> <P>Docs for how to handle it <A href="http://docs.splunk.com/Documentation/Splunk/6.6.3/Search/UseCASEandTERMtomatchphrases">here</A></P> Thu, 24 Aug 2017 08:23:20 GMT s2_splunk 2017-08-24T08:23:20Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288503#M34345 <P>Hi all,</P> <P>Thanks for reading. I've tried a bunch of the offerings in the &gt;answers forum with no luck. Here's my effort:</P> <P>Need the following raw text to convert into a simple stats table showing hostname and destination.</P> <P>Raw text:<BR /> 8/23/17<BR /> 6:29:10.000 PM<BR /><BR /> Aug 23 18:29:10 asbcnspap02.gab.com 08/23/2017:18:29:10 asbcnspap02 0-PPE-1 : default TCP CONN_TERMINATE 23913664 0 : Source 10.XXX.XXX.29:443 - Destination 10.120.209.12:4911 - Start Time 08/24/2017:01:28:25 GMT - End Time 08/24/2017:01:29:10 GMT - Total_bytes_send 1 - Total_bytes_recv 1 </P> <P>Current search (not resolving):</P> <PRE><CODE>index=infrastructure 10.120.213.29 | stats count by Source, Destination | lookup dnslookup clienthost OUTPUT clientip </CODE></PRE> <P>Any help MUCH appreciated!</P> Tue, 29 Sep 2020 15:25:43 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288503#M34345 gabarrygowin 2020-09-29T15:25:43Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288504#M34346 <P>Try like this</P> <PRE><CODE>index=infrastructure 10.120.213.29 | stats count by Source, Destination | lookup dnslookup clientip as Source OUTPUT clienthost as Source_Host | lookup dnslookup clientip as Destination OUTPUT clienthost as Destination_Host </CODE></PRE> Thu, 24 Aug 2017 04:19:34 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288504#M34346 somesoni2 2017-08-24T04:19:34Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288505#M34347 <P>Note that the search (before the first "|") resolves to <CODE>index=infrastructure 10 AND 120 AND 213 AND 29</CODE>, because the '.' is a minor segmenter, so it breaks up the IP address into four individual terms. Hence, it may not retrieve exactly what you need. (You can see the search being executed in the search.log, found in the Job Inspector, if you search for "Lispy")<BR /> Example:<BR /> 08-24-2017 01:18:18.579 INFO UnifiedSearch - Expanded index search = ( index=infrastructure 10.120.213.29 )<BR /> 08-24-2017 01:18:18.580 INFO UnifiedSearch - base lispy: <STRONG>[ AND 10 120 213 29 index::infrastructure ]</STRONG></P> <P>Docs for how to handle it <A href="http://docs.splunk.com/Documentation/Splunk/6.6.3/Search/UseCASEandTERMtomatchphrases">here</A></P> Thu, 24 Aug 2017 08:23:20 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288505#M34347 s2_splunk 2017-08-24T08:23:20Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288506#M34348 <P>Thanks much sslevert!</P> <P>I finally got that all figured out and appreciate the leading help.</P> Thu, 24 Aug 2017 15:59:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288506#M34348 gabarrygowin 2017-08-24T15:59:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288507#M34349 <P>Cool. Please accept somesoni2's answer to mark it as resolved for posterity.</P> Thu, 24 Aug 2017 17:29:07 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Help-converting-raw-text-into-a-simple-stats-table-showing/m-p/288507#M34349 s2_splunk 2017-08-24T17:29:07Z