https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78665#M19906 <P>We use this search to give me a ranked view of active clients of a certain type:</P> <PRE><CODE>index="exchange_index" cs_user_agent="Mac+OS*" | top c_ip,cs_username,cs_user_agent,sc_status limit="30" </CODE></PRE> <P>exchange_index has iis logs from an Exchange server. We see cases, where a given IP number has two different matches: one with a username and status 200, and one with no username and status 401, like this:</P> <PRE><CODE>128.200.235.121 AD\mcuser Mac+OS+X/10.8.3+(12D78);+ExchangeWebServices/3.0+(157);+Mail/6.3+(1503) 200 128.200.235.121 - Mac+OS+X/10.8.3+(12D78);+ExchangeWebServices/3.0+(157);+Mail/6.3+(1503) 401 </CODE></PRE> <P>We'd like to be able to treat the sc_status as values to the other fields which are the same, and produce an output like this (or at least similar to it):</P> <PRE><CODE>128.200.235.121 AD\mcuser Mac+OS+X/10.8.3+(12D78);+ExchangeWebServices/3.0+(157);+Mail/6.3+(1503) 200 - 401 </CODE></PRE> <P>I am able to do this with the stats command, as follows:</P> <PRE><CODE>index="exchange_index" cs_user_agent="Mac+OS*" | stats values(cs_username), values(sc_status) by c_ip cs_user_agent </CODE></PRE> <P>with this output:</P> <PRE><CODE> c_ip cs_usr_agent values(cs_username) values(sc_status) 1 101.172.170.148 Mac+OS+X/10.8.3+(12D78)+CalendarAgent/55 - 200 AD\usrx 401 2 107.16.155.76 Mac+OS+X/10.8.3+(12D78)+CalendarAgent/55 - 200 AD\usry 401 </CODE></PRE> <P>But of course, stats does not give me the same results as top does, and top does not seem to work with values, even though the syntax is so similar to stats.</P> <P>Any ideas?</P> Thu, 28 Mar 2013 22:21:46 GMT wrangler2x 2013-03-28T22:21:46Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78665#M19906 <P>We use this search to give me a ranked view of active clients of a certain type:</P> <PRE><CODE>index="exchange_index" cs_user_agent="Mac+OS*" | top c_ip,cs_username,cs_user_agent,sc_status limit="30" </CODE></PRE> <P>exchange_index has iis logs from an Exchange server. We see cases, where a given IP number has two different matches: one with a username and status 200, and one with no username and status 401, like this:</P> <PRE><CODE>128.200.235.121 AD\mcuser Mac+OS+X/10.8.3+(12D78);+ExchangeWebServices/3.0+(157);+Mail/6.3+(1503) 200 128.200.235.121 - Mac+OS+X/10.8.3+(12D78);+ExchangeWebServices/3.0+(157);+Mail/6.3+(1503) 401 </CODE></PRE> <P>We'd like to be able to treat the sc_status as values to the other fields which are the same, and produce an output like this (or at least similar to it):</P> <PRE><CODE>128.200.235.121 AD\mcuser Mac+OS+X/10.8.3+(12D78);+ExchangeWebServices/3.0+(157);+Mail/6.3+(1503) 200 - 401 </CODE></PRE> <P>I am able to do this with the stats command, as follows:</P> <PRE><CODE>index="exchange_index" cs_user_agent="Mac+OS*" | stats values(cs_username), values(sc_status) by c_ip cs_user_agent </CODE></PRE> <P>with this output:</P> <PRE><CODE> c_ip cs_usr_agent values(cs_username) values(sc_status) 1 101.172.170.148 Mac+OS+X/10.8.3+(12D78)+CalendarAgent/55 - 200 AD\usrx 401 2 107.16.155.76 Mac+OS+X/10.8.3+(12D78)+CalendarAgent/55 - 200 AD\usry 401 </CODE></PRE> <P>But of course, stats does not give me the same results as top does, and top does not seem to work with values, even though the syntax is so similar to stats.</P> <P>Any ideas?</P> Thu, 28 Mar 2013 22:21:46 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78665#M19906 wrangler2x 2013-03-28T22:21:46Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78666#M19907 <P>what exactly is top doing that stats isn't doing? do you like the <CODE>limit=30</CODE> thing that top does? Or maybe the calculation of percentages? Both can be done in other ways.</P> Fri, 29 Mar 2013 05:25:26 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78666#M19907 sideview 2013-03-29T05:25:26Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78667#M19908 <P>There are multiple ways of doing this including using transactions, subsearch and join etc. but probably the easiest for you would be to just sort your results. I wouldn't sort by a multi value field so your search should look somthing like :-</P> <PRE><CODE>index="exchange_index" cs_user_agent="Mac+OS*" | stats values(cs_username) as usernames, values(sc_status) as status by c_ip cs_user_agent | sort 30 c_ip cs_user_agent </CODE></PRE> <P>if you want the results to be in the same order as previously, add the table command.</P> <PRE><CODE>... | table c_ip, usernames, cs_user_agent, status </CODE></PRE> <P>Bob</P> Fri, 29 Mar 2013 08:40:19 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78667#M19908 BobM 2013-03-29T08:40:19Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78668#M19909 <P>I've been meaning to get back to this for days, but had fires to put out. Your suggestion is very close to the mark, but to get the same output as top and the same results I had to make some minor modifications (top seems to do by-descending count):</P> <P>index="exchange_index" cs_user_agent="Mac+OS*" | stats values(cs_username) as usernames, values(sc_status) as status count by c_ip cs_user_agent | sort 30 -count c_ip cs_user_agent | eventstats sum(count) as total | eval percent=100*count/total | strcat percent "%" percent | table c_ip, usernames, cs_user_agent, status, count, percent</P> <P>Thank you!</P> Mon, 28 Sep 2020 13:39:58 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78668#M19909 wrangler2x 2020-09-28T13:39:58Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78669#M19910 <P>With total on the count column:</P> <PRE><CODE>index="exchange_index" cs_user_agent="Mac+OS*" | stats values(cs_username) as usernames, values(sc_status) as status count by c_ip cs_user_agent | sort 30 -count c_ip cs_user_agent | eventstats sum(count) as total | eval percent=100*count/total| strcat percent "%" percent | table c_ip, usernames, cs_user_agent, status, count, percent| addtotals col=t count row=f </CODE></PRE> Wed, 03 Apr 2013 17:46:57 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-get-values-working-with-the-top-command-Or-get/m-p/78669#M19910 wrangler2x 2013-04-03T17:46:57Z