How can I create a search with the stats command which breaks up results into separate rows?

showard22 — Mon, 08 Oct 2018 18:49:15 GMT

Trying to create a query that would search two different network logs (firewall and proxy) and return results. The results would be displayed with a count by URL. The issue I'm having is that it's returning all the results in one row when I want individual URLs in each of their own individual rows with their corresponding fields including first and last time to that URL.

So the count is pulling ALL URLs rather than each individual one. It's definitely something with the stats command but I can't seem to tweak it to make it work.

Any ideas?

(index=firewall OR index=proxy) (sourcetype=fwlog OR sourcetype=proxylog) (dest=* OR DestinationIP=*) (src=8.8.8.8 OR SourceIP=8.8.8.8) (url="*" OR URL="*")
| eval url = coalesce(url,URL) 
| eval action = coalesce(action,Action) 
| eval src = coalesce(src,SourceIP)
| eval dest = coalesce(dest,DestinationIP)
| stats values(url) AS URLs count earliest(_time) AS First latest(_time) AS Last by src dest action 
| fields src dest action URLs count First Last
| convert timeformat="%Y-%m-%d %T" ctime(First) ctime(Last)

Re: How can I create a search with the stats command which breaks up results into separate rows?

Vijeta — Tue, 29 Sep 2020 21:34:28 GMT

try using the below stats commad-

stats values(src) as src, values(dest) as dest, values(action) as action earliest(_time) as First, latest(_time) as Last by url

topic Re: How can I create a search with the stats command which breaks up results into separate rows? in Splunk Search

How can I create a search with the stats command which breaks up results into separate rows?

Re: How can I create a search with the stats command which breaks up results into separate rows?