All Apps and Add-ons

How can I delete double values of the first field, but sum the second?

Crooda
New Member

Hi there,

I hope you can help me. I use the URL Toolbox to get the domain of my proxy logs.

lookup ut_parse_extended_lookup url | table ut_domain count | sort -count | head 100

These are the search results in the following table:

ut_domain         count
google.com        1000
heise.de          500
yahoo.com         20
google.com        200
yahoo.com         100

There are about 10,000 more URLs, some of them very often.
I want a table with every unique URL, but the counts summed like:

ut_domain         count
google.com        1200
heise.de          500
yahoo.com         120

Has anyone an idea? Thank you very much.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this.

lookup ut_parse_extended_lookup url | stats sum(count) as Count by ut_domain | table ut_domain Count | sort -Count | head 100
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Crooda
New Member

it's working, thanks 🙂

0 Karma

woodcock
Esteemed Legend

Like this:

.... lookup ut_parse_extended_lookup url | table ut_domain count | stats sum(count) AS count by ut_domain | sort -count | head 100
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

lookup ut_parse_extended_lookup url | stats sum(count) as Count by ut_domain | table ut_domain Count | sort -Count | head 100
---
If this reply helps you, an upvote would be appreciated.
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...