topic Re: Splunk Condition Search in Splunk Search

Splunk Condition Search

MM0071 — Fri, 13 Oct 2023 17:27:19 GMT

Let's say im running a search where I want to look at domains traveled to.

index=web_traffic sourcetype=domains domain IN ("*.com", "*.org*", "*.edu*")

I want to do a count on how domains that have appeared less than 5 times over the search period. How can I accomplish this? I know I could do a

stats count by domain

but after that, I'm unable to grab the rest of the results in the index such as time, etc.

Re: Splunk Condition Search

richgalloway — Fri, 13 Oct 2023 17:28:28 GMT

The stats command is transforming, which means only the fields referenced in it are available to subsequent commands. In this case, they would be count and domain. To make other fields available, include them in stats.

| status count, values(*) as * by domain

Note that fields other than count and domain may be multi-valued and so may require special handling using mv* functions.

Re: Splunk Condition Search

MM0071 — Fri, 13 Oct 2023 18:25:23 GMT

Thank you so much for the help. Can you explain to me what the follow line means?

values(*) as *

Re: Splunk Condition Search

PickleRick — Fri, 13 Oct 2023 18:47:14 GMT

It's a way of telling Splunk to rename the fields.

Normally if you just do

| stats values(*)

it will name the resulting fields values(fielda), values(fieldb), values(fieldc) and so on. If you just want to see what those values are that's no problem but that's not very convenient to work with such fields later. So if you do

| stats values(*) as *

The resulting mutivalued fields will be named the same as the original fields which you are summarizing were so instead of values(fielda) you'll still have fielda.

Re: Splunk Condition Search

richgalloway — Fri, 13 Oct 2023 18:51:32 GMT

values(*) as * means take the values of all other fields and put them into fields by the same name. So each field that existed before stats will exist after it, but possibly with more than one value in each.

Re: Splunk Condition Search

MM0071 — Fri, 13 Oct 2023 18:52:15 GMT

Gotcha. So how can I implement logic so only show domains that show up 5 or less times?

Re: Splunk Condition Search

PickleRick — Fri, 13 Oct 2023 18:56:41 GMT

You have the count field so you can use the where command to filter the events.

Re: Splunk Condition Search

MM0071 — Fri, 13 Oct 2023 19:04:02 GMT

Is it as simple as:

| stats count, values(*) as * by domain < 5

I get an error trying to do

| where stats count, values(*) as * by domain < 5

Re: Splunk Condition Search

PickleRick — Fri, 13 Oct 2023 19:50:33 GMT

No. Don't try to squeeze everything into one command 🙂

| stats count, values(*) as * by domain

This will give you results groupped by domain.

So now you have to filter the results with another command.

| where count<=5

And you're home.

Re: Splunk Condition Search

MM0071 — Mon, 16 Oct 2023 15:31:23 GMT

thank you. much appreciated.