Splunk Search

stats count only showing 10 results

mcbradford
Contributor

This is my search....

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country

This will only show me a count of 10 for each country. How can I get the top count per country?

I saw something about limit=0, but I do not know where to put this???

Tags (2)
0 Karma

Drainy
Champion

mcbradford, I don't follow how your last post links to this. If you want to update your question then you need to click on the edit button on your original question, posting replies as answers only confuses matters 🙂 As below, what part of the results are wrong?

0 Karma

mcbradford
Contributor

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country, count, src_ip | search client_country!="United States" search client_country!=""| stats sum(count) by client_country | sort -sum(count)

mcbradford
Contributor

When I did this I get....

Error in 'top' command: The output count field conflicts with the input field 'count'. Use the 'countfield' option to specify a different name.

my search now is...

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | top count limit=1

but this errors

0 Karma

Drainy
Champion

hmm, see my updated answer

0 Karma

Drainy
Champion
|top 100 src_ip 

Change that to;

|top 100 src_ip limit=1 |

The limit field is part of the top command and can be changed to set how many top results you want to display.

Edit: Actually, you probably need to add to the end of your search;

| top count limit=1 

Edit edit:

Ok, how about;

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | rename count AS cc_count | top cc_count limit=1

I haven't got Splunk running atm so this is just from memory, it may be a conflict between the counts so lets do a rename and top of that

0 Karma

Drainy
Champion

what part of the results are incorrect?

0 Karma

mcbradford
Contributor

no error - but the results are not correct

0 Karma

mcbradford
Contributor

Still does not work.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...