https://community.splunk.com/t5/Splunk-Search/how-to-aggregate-log-entries/m-p/108625#M28292 <P>Newbie to splunk, but I want to aggregate the log entries below based upon if it's the same ip address and request url.</P> <PRE> 192.168.8.5 [10/Nov/2011:11:11:23] "GET /hello/world HTTP/1.1" 200 1234 192.168.8.7 [10/Nov/2011:15:46:23] "GET /foo/bar HTTP/1.1" 200 124 192.168.8.5 [10/Nov/2011:18:00:25] "GET /foo/bar HTTP/1.1" 200 124 192.168.8.10 [10/Nov/2011:23:11:23] "GET /hello/world HTTP/1.1" 200 1234 192.168.8.5 [10/Nov/2011:23:59:00] "GET /hello/world HTTP/1.1" 200 1234 </PRE> <P>So the outcome I would like is as follows:</P> <PRE> ip address request url count 192.168.8.5 "GET /hello/world HTTP/1.1" 2 192.168.8.7 "GET /foo/bar HTTP/1.1" 1 192.168.8.5 "GET /foo/bar HTTP/1.1" 1 192.168.8.10 "GET /hello/world HTTP/1.1" 1 </PRE> <P>Can someone provide some insight? I've played around with dedup and distinct_count but can't seem to get it right to get the aggregated information from splunk.</P> <P>Thanks in advance.</P> Fri, 11 Nov 2011 06:22:30 GMT mchan 2011-11-11T06:22:30Z https://community.splunk.com/t5/Splunk-Search/how-to-aggregate-log-entries/m-p/108625#M28292 <P>Newbie to splunk, but I want to aggregate the log entries below based upon if it's the same ip address and request url.</P> <PRE> 192.168.8.5 [10/Nov/2011:11:11:23] "GET /hello/world HTTP/1.1" 200 1234 192.168.8.7 [10/Nov/2011:15:46:23] "GET /foo/bar HTTP/1.1" 200 124 192.168.8.5 [10/Nov/2011:18:00:25] "GET /foo/bar HTTP/1.1" 200 124 192.168.8.10 [10/Nov/2011:23:11:23] "GET /hello/world HTTP/1.1" 200 1234 192.168.8.5 [10/Nov/2011:23:59:00] "GET /hello/world HTTP/1.1" 200 1234 </PRE> <P>So the outcome I would like is as follows:</P> <PRE> ip address request url count 192.168.8.5 "GET /hello/world HTTP/1.1" 2 192.168.8.7 "GET /foo/bar HTTP/1.1" 1 192.168.8.5 "GET /foo/bar HTTP/1.1" 1 192.168.8.10 "GET /hello/world HTTP/1.1" 1 </PRE> <P>Can someone provide some insight? I've played around with dedup and distinct_count but can't seem to get it right to get the aggregated information from splunk.</P> <P>Thanks in advance.</P> Fri, 11 Nov 2011 06:22:30 GMT https://community.splunk.com/t5/Splunk-Search/how-to-aggregate-log-entries/m-p/108625#M28292 mchan 2011-11-11T06:22:30Z https://community.splunk.com/t5/Splunk-Search/how-to-aggregate-log-entries/m-p/108626#M28293 <P>just search ... | stats count by ip_address,request_url can do for this </P> Mon, 28 Sep 2020 10:05:29 GMT https://community.splunk.com/t5/Splunk-Search/how-to-aggregate-log-entries/m-p/108626#M28293 hjwang 2020-09-28T10:05:29Z https://community.splunk.com/t5/Splunk-Search/how-to-aggregate-log-entries/m-p/108627#M28294 <P>Hi,</P> <P>Given that you have extracted the fields as <CODE>clientip</CODE> and <CODE>url</CODE></P> <PRE><CODE> &lt;your base search here&gt; | stats count by clientip url </CODE></PRE> <P>should produce the desired results.</P> <P>hope this helps,</P> <P>/Kristian</P> Fri, 11 Nov 2011 07:21:13 GMT https://community.splunk.com/t5/Splunk-Search/how-to-aggregate-log-entries/m-p/108627#M28294 kristian_kolb 2011-11-11T07:21:13Z