Solved: Re: Count of hosts

Armyeric · ‎05-27-2014

I have a search:
index="proxy" ([|inputlookup proxy.csv|rename site as query | fields query] ) NOT www.google.com | stats count by dest_host

*www.google.com is my test to make sure the search is working and since I would have to reload a new lookup table I just leave it in.

The search works, but I am getting subdomains and pages associated with my search and they count as individual destination hosts.

Lookuptable:

facebook.com

Search Results:

12341241421421421.facebook.com

1234.channel.facebook.com

2345.channel.facebook.com

etc,

etc.

I know I can do a replace *facebook.com with facebook.com and that will get me the total count for that host...but I have many other domains I am doing a count for and my search would exceed the length. Is there an easier way to do my search that will combine all the subdomains into the main domain and thus get a total count of each host? The lookup table has about 3500 hosts in it.

okrabbe_splunk · ‎05-27-2014

One option is to clean up the field that has the site?

For example, do a rex like this to just grab the domain

| rex field=site  "(?<site>[^\.]+\.[^\.]+$)"

After that, you can then compare your list from the lookup with just the domain name.

View solution in original post

okrabbe_splunk · ‎05-27-2014

One option is to clean up the field that has the site?

For example, do a rex like this to just grab the domain

| rex field=site  "(?<site>[^\.]+\.[^\.]+$)"

After that, you can then compare your list from the lookup with just the domain name.

Armyeric · ‎05-28-2014

It didn't like "site" so I replaced it with dest_host and it works. Thanks!

Count of hosts

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!