Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can I combine two searches and group by _time using a regex filter?

sdtruesdale
Engager
‎08-17-2017 12:08 PM

Hello,

I'm relatively new to Splunk, so please bear with me. What I am trying to accomplish is a time chart using tstats, but filtering the results using a regex. Specifically, this is for counting the number of times someone connects over HTTP/S to a naked IP (IP specified instead of a URL). The following two queries work, but when I try to combine them I get zero results:

| tstats count(Web.dest) AS destCount FROM datamodel=Web WHERE Web.action=blocked GROUPBY Web.dest | regex Web.dest="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"

As you can see in the below screenshot, when grouped by Web.dest I get a table with counts and the regex filter works fine.

alt text

| tstats count(Web.dest) AS destCount FROM datamodel=Web WHERE Web.action=blocked GROUPBY _time span=1m

As you can see in the below screenshot, when grouped by _time without the regex, I get a nice table which I can then use to create a time chart.

alt text

However, if I try to combine the two queries and group by _time using a regex filter, I get zero results (screenshot not needed I think). 

| tstats count(Web.dest) AS destCount FROM datamodel=Web WHERE Web.action=blocked GROUPBY _time span=1m | regex Web.dest="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"

Can anyone assist me and/or confirm if what I'm trying to do is even possible? Your assistance is greatly appreciated.

Preview file
64 KB
Preview file
74 KB
0 Karma
Reply

somesoni2
Revered Legend
‎08-17-2017 01:01 PM

The query your tried is just grouping by _time to no Web.dest field is available to filter. Try like this

|  tstats count(Web.dest) AS destCount FROM datamodel=Web WHERE Web.action=blocked GROUPBY Web.dest _time span=1m | regex Web.dest="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...