Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

having stats count and stats values combined

Merryvor
Explorer
‎09-06-2024 09:13 AM

Hello,

I'm trying to obtain a table like this :

FQDNurilist of  attack_typesattack_number
www.test.com/index

Information Leakage

Path Traversal

57
www.test.com/testPath Traversal30
prod.com/sample

Abuse of Functionality

Forceful Browsing

Command Execution

10

 

I can obtain the table without the list of attack_types, but I can't figure out how to add the values function.

| stats count as attack_number by FQDN,uri 
| stats values(attack_type) as "Types of attack"

 For each FQDN/uri I want to have the number of attacks, and all the attack_types seen.

It seems obvious, but I'm missing it.

Can someone help me ?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2024 09:15 AM

Just put the 

values(attack_type) as "Types of attack"

into the first stats.

You can't do 2 stats like that as you don't have the attack_type anymore after the first stats

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Merryvor
Explorer
‎09-06-2024 09:22 AM

Thank you @bowesmana  

I actually tried this before

| stats count as attack_number by FQDN,uri values(attack_type) as "Types of attack"

 but it didn't return anything.

However this is working :

| stats values(attack_type) as "Types of attack" count as attack_number by FQDN,uri

I guess this way the by clause applies to both count and values function.

seems logic now that I see it !

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2024 09:29 AM

Yes, you're right - the logic for stats is stats - followed by as many aggregations you want and then the by clause.

 

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-06-2024 09:15 AM

Just put the 

values(attack_type) as "Types of attack"

into the first stats.

You can't do 2 stats like that as you don't have the attack_type anymore after the first stats

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...