https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45905#M10952 <P>... | stats count by scr,dst</P> Mon, 09 Jan 2012 14:29:50 GMT imrago 2012-01-09T14:29:50Z https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45904#M10951 <P>Hello,</P> <P>I am trying to create a bubble chart (this is not very much documented, hopefully <A href="http://splunk-base.splunk.com/answers/25336/example-of-a-bubble-chart">this example</A> will help) for a 2D distribution.</P> <P>I have a set of data (IP addresses) and I would like to count the amount of "pairs" for a given time (ie. the IP addresses talking to each other). My search correctly extracts <CODE>src</CODE> and <CODE>dst</CODE> (the pair of IP addresses) and I want to build a matrix:</P> <PRE><CODE>src1 dst1 nr1 src2 dst1 nr2 src3 dst1 nr3 src2 dst1 nr4 src2 dst2 nr5 ... </CODE></PRE> <P>I know that my search should end up with <CODE>... | table src, dst, nr-something</CODE>, I just do not know how to extract <CODE>nr-something</CODE>.</P> <P>Thanks!</P> Mon, 09 Jan 2012 14:04:37 GMT https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45904#M10951 wsw70 2012-01-09T14:04:37Z https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45905#M10952 <P>... | stats count by scr,dst</P> Mon, 09 Jan 2012 14:29:50 GMT https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45905#M10952 imrago 2012-01-09T14:29:50Z https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45906#M10953 <P>What are you really asking for?</P> <P>1) How to count the source/destination pairs<BR /> OR<BR /> 2) How to extract nr-something?</P> <P>Please provide us with some sample data.</P> Mon, 09 Jan 2012 14:37:23 GMT https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45906#M10953 RubenOlsen 2012-01-09T14:37:23Z https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45907#M10954 <P>If you just want to count the source / destination pairs without putting the count sums into various buckets, go with imrago's answer.</P> <P>If you need to group the source / destination pairs by a 1 hour timeslot - you might want to try:</P> <PRE><CODE>... | eval SrcDestPair = src + " " + dest | timechart span=1h count by SrcDestPair </CODE></PRE> Mon, 09 Jan 2012 14:43:47 GMT https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45907#M10954 RubenOlsen 2012-01-09T14:43:47Z https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45908#M10955 <P>It was the first one (how to count). Both answers are exactly what I was looking for but I should have not used the word "extract" in my last sentence (and replace it by "count").</P> Mon, 09 Jan 2012 15:10:18 GMT https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45908#M10955 wsw70 2012-01-09T15:10:18Z https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45909#M10956 <P>Exactly what I was looking for - thanks. I have a hard time understanding the philosophy of the search syntax (but I will get over that one day :))</P> Mon, 09 Jan 2012 15:11:36 GMT https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45909#M10956 wsw70 2012-01-09T15:11:36Z https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45910#M10957 <P>Thank you. I cannot put two "best answers" but I upvoted yours <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Mon, 09 Jan 2012 15:12:00 GMT https://community.splunk.com/t5/Splunk-Search/table-for-two-dimentional-distribution/m-p/45910#M10957 wsw70 2012-01-09T15:12:00Z