https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629043#M218491 <P>Query:<BR />|tstats count where index=afg-juhb-appl&nbsp; &nbsp;host_ip=*&nbsp; &nbsp; &nbsp;source=*&nbsp; &nbsp; &nbsp;TERM(offer)<BR /><BR />i want to get the count of each source by host_ip as shown below.<BR />output:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="20%" height="24px">source</TD><TD width="20%" height="24px">11.56.67.12</TD><TD width="20%" height="24px">11.56.67.15</TD><TD width="20%" height="24px">11.56.67.18</TD><TD width="20%" height="24px">11.56.67.19</TD></TR><TR><TD width="20%" height="24px">/app/clts/shift.logs</TD><TD width="20%" height="24px">987</TD><TD width="20%" height="24px">67</TD><TD width="20%" height="24px">67</TD><TD width="20%" height="24px">89</TD></TR><TR><TD width="20%" height="24px">/apps/lts/server.logs</TD><TD width="20%" height="24px">45</TD><TD width="20%" height="24px">45</TD><TD width="20%" height="24px">67</TD><TD width="20%" height="24px">43</TD></TR><TR><TD width="20%" height="24px">/app/mts/catlog.logs</TD><TD width="20%" height="24px">89</TD><TD width="20%" height="24px">89</TD><TD width="20%" height="24px">65</TD><TD width="20%" height="24px">56</TD></TR><TR><TD width="20%" height="24px">/var/http/show.logs</TD><TD width="20%" height="24px">12</TD><TD width="20%" height="24px">87</TD><TD width="20%" height="24px">43</TD><TD width="20%" height="24px">65</TD></TR></TBODY></TABLE> Tue, 31 Jan 2023 21:01:24 GMT Vani_26 2023-01-31T21:01:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629043#M218491 <P>Query:<BR />|tstats count where index=afg-juhb-appl&nbsp; &nbsp;host_ip=*&nbsp; &nbsp; &nbsp;source=*&nbsp; &nbsp; &nbsp;TERM(offer)<BR /><BR />i want to get the count of each source by host_ip as shown below.<BR />output:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="20%" height="24px">source</TD><TD width="20%" height="24px">11.56.67.12</TD><TD width="20%" height="24px">11.56.67.15</TD><TD width="20%" height="24px">11.56.67.18</TD><TD width="20%" height="24px">11.56.67.19</TD></TR><TR><TD width="20%" height="24px">/app/clts/shift.logs</TD><TD width="20%" height="24px">987</TD><TD width="20%" height="24px">67</TD><TD width="20%" height="24px">67</TD><TD width="20%" height="24px">89</TD></TR><TR><TD width="20%" height="24px">/apps/lts/server.logs</TD><TD width="20%" height="24px">45</TD><TD width="20%" height="24px">45</TD><TD width="20%" height="24px">67</TD><TD width="20%" height="24px">43</TD></TR><TR><TD width="20%" height="24px">/app/mts/catlog.logs</TD><TD width="20%" height="24px">89</TD><TD width="20%" height="24px">89</TD><TD width="20%" height="24px">65</TD><TD width="20%" height="24px">56</TD></TR><TR><TD width="20%" height="24px">/var/http/show.logs</TD><TD width="20%" height="24px">12</TD><TD width="20%" height="24px">87</TD><TD width="20%" height="24px">43</TD><TD width="20%" height="24px">65</TD></TR></TBODY></TABLE> Tue, 31 Jan 2023 21:01:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629043#M218491 Vani_26 2023-01-31T21:01:24Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629048#M218493 <P>What does the current query give you?&nbsp; Is the offer field indexed?</P><P>Have you tried grouping by host_ip?</P><LI-CODE lang="markup">|tstats count where index=afg-juhb-appl host_ip=* source=* TERM(offer) by host_ip</LI-CODE> Tue, 31 Jan 2023 21:05:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629048#M218493 richgalloway 2023-01-31T21:05:01Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629059#M218496 <P>hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;<BR /><BR />1.&nbsp;<SPAN>What does the current query give you?&nbsp; Is the offer field indexed?</SPAN><BR /><BR />No offrer&nbsp; field is not an index field.<BR /><BR />2. When i tried to use the below query i am getting the output as:<BR /><BR /><SPAN>|tstats count where index=afg-juhb-appl host_ip=* source=* TERM(offer) by host_ip</SPAN></P><TABLE border="1" width="44.44379675357805%"><TBODY><TR><TD width="33.333333333333336%" height="24px">host_ip</TD><TD width="33.333333333333336%" height="24px">count</TD></TR><TR><TD width="33.333333333333336%" height="24px"><SPAN>11.56.67.12</SPAN></TD><TD width="33.333333333333336%" height="24px">45</TD></TR><TR><TD width="33.333333333333336%" height="24px"><SPAN>11.56.67.14</SPAN></TD><TD width="33.333333333333336%" height="24px">56</TD></TR></TBODY></TABLE><P><BR />But i am not expecting this output.</P> Tue, 31 Jan 2023 21:54:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629059#M218496 Vani_26 2023-01-31T21:54:36Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629236#M218570 <P>I should have included source in the <FONT face="courier new,courier">by</FONT> clause.&nbsp; Then you can use the <FONT face="courier new,courier">xyseries</FONT> command to rearrange the table.</P><P>&nbsp;</P><LI-CODE lang="markup">|tstats count where index=afg-juhb-appl host_ip=* source=* TERM(offer) by source, host_ip | xyseries source host_ip count</LI-CODE><P>&nbsp;</P> Wed, 01 Feb 2023 21:08:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629236#M218570 richgalloway 2023-02-01T21:08:59Z https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629252#M218573 <P>Thank you <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; it worked</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 01 Feb 2023 23:22:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-count-of-each-source-by-IP/m-p/629252#M218573 Vani_26 2023-02-01T23:22:59Z