I have the following search results and would like to add the count totals up. If I add the following line:
|addtotals fieldname=Blocks
I see the total, but the issue is for items with only one line, their count is doubled (for example, the second line with a count of 2899
has a total of 5798
. How do I make sure single counts in the list don't get doubled when adding the totals?
Thx
Broken scenario using addtotals
command that doubles the count for IPs that have only one domain listed:
src_ip Domain count Blocks
0.0.0.0 fox169.tlscdn.com 2899 5798
1.1.1.1 video.cynogage.com 3643 3886
serve.blutonic-ads.com 160
conf.wsm.360.cn 71
sconf.f.360.cn 11
quri.f.360.cn 1
2.2.2.2 video.cynogage.com 2301 2305
rdcdn.com 4
3.3.3.3 video.cynogage.com 594 1188
4.4.4.4 video.cynogage.com 576 1152
5.5.5.5 video.cynogage.com 837 873
serve.blutonic-ads.com 36
6.6.6.6 video.cynogage.com 663 705
serve.blutonic-ads.com 42
7.7.7.7 video.cynogage.com 563 566
serve.blutonic-ads.com 3
8.8.8.8 lb.cdn.e-adguardian.com 111 517
lb.cdn.d-adguardian.com 110
lb.cdn.a-adguardian.com 109
lb.cdn.c-adguardian.com 102
lb.mspt4-01.com 79
lb.msps4-01.com 6
9.9.9.9 video.cynogage.com 506 516
dopefile.com 6
us-nj-e3.rtbauction.com 4
Using the search of:
index=indexname
| stats count BY domain, src_ip
| sort 0 -count
| stats list(domain) AS Domain, list(count) AS count, sum(count) AS total BY src_ip
| sort 0 -total | head 10
| fields - total
| addtotals fieldname=Blocks
I get the following:
Domain count Blocks
video.cynogage.com 3643
serve.blutonic-ads.com 160
conf.wsm.360.cn 71
sconf.f.360.cn 11
quri.f.360.cn 1
fox169.tlscdn.com 2899 2899
video.cynogage.com 2301
rdcdn.com 4
video.cynogage.com 837
serve.blutonic-ads.com 36
video.cynogage.com 663
serve.blutonic-ads.com 42
video.cynogage.com 594 594
video.cynogage.com 576 576
video.cynogage.com 563
serve.blutonic-ads.com 3
video.cynogage.com 506
dopefile.com 6
us-nj-e3.rtbauction.com 4
lb.cdn.e-adguardian.com 111
lb.cdn.d-adguardian.com 110
lb.cdn.a-adguardian.com 109
lb.cdn.c-adguardian.com 102
lb.mspt4-01.com 79
lb.msps4-01.com 6
OK, first let's spoof the data:
| noop
| stats count as trash
| eval trash="0.0.0.0,fox169.tlscdn.com,2899::1.1.1.1,video.cynogage.com,3643::1.1.1.1,serve.blutonic-ads.com,160::1.1.1.1,conf.wsm.360.cn,71::1.1.1.1,sconf.f.360.cn,11::1.1.1.1,quri.f.360.cn,1::2.2.2.2,video.cynogage.com,2301::2.2.2.2,rdcdn.com,4::3.3.3.3,video.cynogage.com,594::4.4.4.4,video.cynogage.com,576::5.5.5.5,video.cynogage.com,837::5.5.5.5,serve.blutonic-ads.com,36::6.6.6.6,video.cynogage.com,663::6.6.6.6,serve.blutonic-ads.com,42::7.7.7.7,video.cynogage.com,563::7.7.7.7,serve.blutonic-ads.com,3::8.8.8.8,lb.cdn.e-adguardian.com,111::8.8.8.8,lb.cdn.d-adguardian.com,110::8.8.8.8,lb.cdn.a-adguardian.com,109::8.8.8.8,lb.cdn.c-adguardian.com,102::8.8.8.8,lb.mspt4-01.com,79::8.8.8.8,lb.msps4-01.com,6::9.9.9.9,video.cynogage.com,506::9.9.9.9,dopefile.com,6::9.9.9.9,us-nj-e3.rtbauction.com,4"
| makemv delim="::" trash
| mvexpand trash
| rex field=trash "(?<src_ip>[^,]+),(?<domain>[^,]+),(?<count>[^,]+)"
| fields - trash
Now, these events are pre-counted so this next line will be different than yours (keep yours the same):
| stats sum(count) AS count BY domain, src_ip
Finally, here is the adjusted/repaired remainder:
| sort 0 -count
| stats list(domain) AS Domain, list(count) AS count, sum(count) AS total BY src_ip
| sort 10 -total
| rename Total AS Blocks
OK, first let's spoof the data:
| noop
| stats count as trash
| eval trash="0.0.0.0,fox169.tlscdn.com,2899::1.1.1.1,video.cynogage.com,3643::1.1.1.1,serve.blutonic-ads.com,160::1.1.1.1,conf.wsm.360.cn,71::1.1.1.1,sconf.f.360.cn,11::1.1.1.1,quri.f.360.cn,1::2.2.2.2,video.cynogage.com,2301::2.2.2.2,rdcdn.com,4::3.3.3.3,video.cynogage.com,594::4.4.4.4,video.cynogage.com,576::5.5.5.5,video.cynogage.com,837::5.5.5.5,serve.blutonic-ads.com,36::6.6.6.6,video.cynogage.com,663::6.6.6.6,serve.blutonic-ads.com,42::7.7.7.7,video.cynogage.com,563::7.7.7.7,serve.blutonic-ads.com,3::8.8.8.8,lb.cdn.e-adguardian.com,111::8.8.8.8,lb.cdn.d-adguardian.com,110::8.8.8.8,lb.cdn.a-adguardian.com,109::8.8.8.8,lb.cdn.c-adguardian.com,102::8.8.8.8,lb.mspt4-01.com,79::8.8.8.8,lb.msps4-01.com,6::9.9.9.9,video.cynogage.com,506::9.9.9.9,dopefile.com,6::9.9.9.9,us-nj-e3.rtbauction.com,4"
| makemv delim="::" trash
| mvexpand trash
| rex field=trash "(?<src_ip>[^,]+),(?<domain>[^,]+),(?<count>[^,]+)"
| fields - trash
Now, these events are pre-counted so this next line will be different than yours (keep yours the same):
| stats sum(count) AS count BY domain, src_ip
Finally, here is the adjusted/repaired remainder:
| sort 0 -count
| stats list(domain) AS Domain, list(count) AS count, sum(count) AS total BY src_ip
| sort 10 -total
| rename Total AS Blocks
Hello @woodcock. I'm not sure I understand the logic behind |stats count as trash
.
With stats count
you get a 0 result. If you rename that with "trash" you're only changing the name. But without that initial statement, the query doesn't work. So, what is the key to understand your first query? Because, you are creating a field "trash" with eval command from scratch. It's true that the field "trash" already exists from stats and you are feeding it with the eval command but I don't understand why is necessary. I'm not getting the pre-counted concept you comment, probably.
Thanks in advance.
Before makeresults
existed, we used to use | noop | stats count
to create an event out of nothing.
Ok. Thank you for your explanation.
Thx - query works great
I completely do not understand your scenario; show us working and broken examples.
Added broken scenario - thx
Based on the image, we need to see more of your search, too.
Search is as follows:
index=indexname
|stats count by domain,src_ip
|sort -count
|stats list(domain) as Domain, list(count) as count, sum(count) as total by src_ip
|sort -total | head 10
|addtotals fieldname=Blocks
|fields - total