https://community.splunk.com/t5/Splunk-Search/How-do-I-count-and-sum-multivalue-fields-by-another-multivalue/m-p/379359#M111155 <P>Hi, </P> <P>I am hitting a dead end with my search...</P> <P>I have two multivalue fields:</P> <P>Site_ID - has 100's of values<BR /> Attack - has 10 values</P> <P>I want a report that shows the count of individual attacks and total attacks by Site_ID</P> <PRE><CODE>Site_ID XSS SQLi Total by Site my.site.com 10 12 24 </CODE></PRE> <P>I have been using this as a base search </P> <PRE><CODE>index=Firewall sourcetype=Firewall_logs Attack = SQLi OR Attack = xSS OR | chart count over Site_ID by Attack </CODE></PRE> <P>But I just cannot find the right syntax to produce the needed report.</P> <P>Any help would be greatly appreciated!</P> Thu, 20 Dec 2018 20:34:56 GMT Log_wrangler 2018-12-20T20:34:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-and-sum-multivalue-fields-by-another-multivalue/m-p/379359#M111155 <P>Hi, </P> <P>I am hitting a dead end with my search...</P> <P>I have two multivalue fields:</P> <P>Site_ID - has 100's of values<BR /> Attack - has 10 values</P> <P>I want a report that shows the count of individual attacks and total attacks by Site_ID</P> <PRE><CODE>Site_ID XSS SQLi Total by Site my.site.com 10 12 24 </CODE></PRE> <P>I have been using this as a base search </P> <PRE><CODE>index=Firewall sourcetype=Firewall_logs Attack = SQLi OR Attack = xSS OR | chart count over Site_ID by Attack </CODE></PRE> <P>But I just cannot find the right syntax to produce the needed report.</P> <P>Any help would be greatly appreciated!</P> Thu, 20 Dec 2018 20:34:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-and-sum-multivalue-fields-by-another-multivalue/m-p/379359#M111155 Log_wrangler 2018-12-20T20:34:56Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-and-sum-multivalue-fields-by-another-multivalue/m-p/379360#M111156 <P>The <CODE>stats</CODE>, <CODE>chart</CODE>, and <CODE>timechart</CODE> commands are all multi-value-safe so all that you need is a total column? That is cake, just add <CODE>| addtotals row=t col=f fieldname="Total by Site"</CODE>. See this run-anywhere example:</P> <PRE><CODE>index=_* | rename sourcetype AS Attack, host AS Site_ID | chart count OVER Site_ID BY Attack | addtotals row=t col=f fieldname="Total by Site" </CODE></PRE> Thu, 20 Dec 2018 21:22:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-and-sum-multivalue-fields-by-another-multivalue/m-p/379360#M111156 woodcock 2018-12-20T21:22:59Z https://community.splunk.com/t5/Splunk-Search/How-do-I-count-and-sum-multivalue-fields-by-another-multivalue/m-p/379361#M111157 <P>Thanks, you're right... cake, forgot how to do it. </P> Thu, 20 Dec 2018 21:56:16 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-count-and-sum-multivalue-fields-by-another-multivalue/m-p/379361#M111157 Log_wrangler 2018-12-20T21:56:16Z