Values and counts

vishwanadhan_mu · ‎08-06-2019

Ex: query=google.com , yahoo.com
src= xyz-pc , abc-pc

I want to know the count of queries to each domain queried by an individual computer.

For example, If I see a computer xyz-pc going to malicious sites multiple times everyday. I want to create a bin/bucket list to find, how many blocked queries and how many times the source computer has reached out to.

Thanks.
Vish

woodcock · ‎08-07-2019

Like this:

... | stats count BY query src
| sort 0 - count
| stats list(*) AS * BY src
| stats sum(count) AS TotalCount BY src
| sort 0 - TotalCount

vishwanadhan_mu · ‎08-11-2019

Could you pleas explain me how it works, if possible.

Especially the sort 0

woodcock · ‎08-13-2019

Does this work for you? The 0 on the sort makes it unlimited (the command has a stupid default that trims the result set). To see what it is doing, just add in each line one by one.

vishwanadhan_mu · ‎08-13-2019

IT worked. Thanks a lot

woodcock · ‎08-14-2019

OK, then you should come back and click Accept on the answer to close the question.

Values and counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Values and counts

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future