All Apps and Add-ons

How can I delete double values of the first field, but sum the second?

Crooda
New Member

Hi there,

I hope you can help me. I use the URL Toolbox to get the domain of my proxy logs.

lookup ut_parse_extended_lookup url | table ut_domain count | sort -count | head 100

These are the search results in the following table:

ut_domain         count
google.com        1000
heise.de          500
yahoo.com         20
google.com        200
yahoo.com         100

There are about 10,000 more URLs, some of them very often.
I want a table with every unique URL, but the counts summed like:

ut_domain         count
google.com        1200
heise.de          500
yahoo.com         120

Has anyone an idea? Thank you very much.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this.

lookup ut_parse_extended_lookup url | stats sum(count) as Count by ut_domain | table ut_domain Count | sort -Count | head 100
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Crooda
New Member

it's working, thanks 🙂

0 Karma

woodcock
Esteemed Legend

Like this:

.... lookup ut_parse_extended_lookup url | table ut_domain count | stats sum(count) AS count by ut_domain | sort -count | head 100
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

lookup ut_parse_extended_lookup url | stats sum(count) as Count by ut_domain | table ut_domain Count | sort -Count | head 100
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...