Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Values and counts

vishwanadhan_mu
Explorer
‎08-06-2019 11:36 PM

Ex: query=google.com , yahoo.com
src= xyz-pc , abc-pc

I want to know the count of queries to each domain queried by an individual computer.

For example, If I see a computer xyz-pc going to malicious sites multiple times everyday. I want to create a bin/bucket list to find, how many blocked queries and how many times the source computer has reached out to.

Thanks.
Vish

0 Karma
Reply

woodcock
Esteemed Legend
‎08-07-2019 03:31 PM

Like this:

... | stats count BY query src
| sort 0 - count
| stats list(*) AS * BY src
| stats sum(count) AS TotalCount BY src
| sort 0 - TotalCount
0 Karma
Reply

vishwanadhan_mu
Explorer
‎08-11-2019 08:59 PM

Could you pleas explain me how it works, if possible.

Especially the sort 0

0 Karma
Reply

woodcock
Esteemed Legend
‎08-13-2019 07:25 AM

Does this work for you? The 0 on the sort makes it unlimited (the command has a stupid default that trims the result set). To see what it is doing, just add in each line one by one.

0 Karma
Reply

vishwanadhan_mu
Explorer
‎08-13-2019 06:04 PM

IT worked. Thanks a lot

0 Karma
Reply

woodcock
Esteemed Legend
‎08-14-2019 08:22 AM

OK, then you should come back and click Accept on the answer to close the question.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...