Archive

stats count only showing 10 results

Contributor

This is my search....

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 srcip | lookup geoip clientip as srcip | fields clientcountry | search clientcountry!="United States" search clientcountry!="" | stats count by clientcountry

This will only show me a count of 10 for each country. How can I get the top count per country?

I saw something about limit=0, but I do not know where to put this???

Tags (2)
0 Karma

Champion

mcbradford, I don't follow how your last post links to this. If you want to update your question then you need to click on the edit button on your original question, posting replies as answers only confuses matters 🙂 As below, what part of the results are wrong?

0 Karma

Contributor

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 srcip | lookup geoip clientip as srcip | fields clientcountry, count, srcip | search clientcountry!="United States" search clientcountry!=""| stats sum(count) by client_country | sort -sum(count)

Contributor

When I did this I get....

Error in 'top' command: The output count field conflicts with the input field 'count'. Use the 'countfield' option to specify a different name.

my search now is...

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 srcip | lookup geoip clientip as srcip | fields clientcountry | search clientcountry!="United States" search clientcountry!="" | stats count by clientcountry | top count limit=1

but this errors

0 Karma

Champion

hmm, see my updated answer

0 Karma

Champion
|top 100 src_ip 

Change that to;

|top 100 src_ip limit=1 |

The limit field is part of the top command and can be changed to set how many top results you want to display.

Edit: Actually, you probably need to add to the end of your search;

| top count limit=1 

Edit edit:

Ok, how about;

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 srcip | lookup geoip clientip as srcip | fields clientcountry | search clientcountry!="United States" search clientcountry!="" | stats count by clientcountry | rename count AS cccount | top cccount limit=1

I haven't got Splunk running atm so this is just from memory, it may be a conflict between the counts so lets do a rename and top of that

0 Karma

Champion

what part of the results are incorrect?

0 Karma

Contributor

no error - but the results are not correct

0 Karma

Contributor

Still does not work.

0 Karma