All Apps and Add-ons

How can I delete double values of the first field, but sum the second?

Crooda
New Member

Hi there,

I hope you can help me. I use the URL Toolbox to get the domain of my proxy logs.

lookup ut_parse_extended_lookup url | table ut_domain count | sort -count | head 100

These are the search results in the following table:

ut_domain         count
google.com        1000
heise.de          500
yahoo.com         20
google.com        200
yahoo.com         100

There are about 10,000 more URLs, some of them very often.
I want a table with every unique URL, but the counts summed like:

ut_domain         count
google.com        1200
heise.de          500
yahoo.com         120

Has anyone an idea? Thank you very much.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this.

lookup ut_parse_extended_lookup url | stats sum(count) as Count by ut_domain | table ut_domain Count | sort -Count | head 100
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Crooda
New Member

it's working, thanks 🙂

0 Karma

woodcock
Esteemed Legend

Like this:

.... lookup ut_parse_extended_lookup url | table ut_domain count | stats sum(count) AS count by ut_domain | sort -count | head 100
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

lookup ut_parse_extended_lookup url | stats sum(count) as Count by ut_domain | table ut_domain Count | sort -Count | head 100
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...