Solved: Dedup on multiple fields but count the instance, a...

kearnwl · ‎12-02-2011

Original Data

SrcIP       SrcName     DstIP       DstName         DstPort 
192.168.1.1 bob.net.net 172.16.16.1 alice.net.net   21
192.168.1.1 bob.net.net 172.16.16.1 alice.net.net   21

Data that I would like to Display

SrcIP           SrcName     DstIP       DstName     DstPort     Count
192.168.1.1     bob.net.net 172.16.16.1 alice.net.net   21      2

Ayn · ‎12-02-2011

... | stats count by SrcIP SrcName DstIP DstName DstPort

View solution in original post

kearnwl · ‎12-02-2011

Ok... wow, that was much easier than I thought. Thanks for helping me, and making me feel more than a little silly.

Ayn · ‎12-02-2011

No problem 🙂 That's often the case with Splunk - seemingly difficult task can be solved surprisingly easy by finding the right command and arguments!

Could you please mark my answer as accepted? Thanks!

Ayn · ‎12-02-2011

... | stats count by SrcIP SrcName DstIP DstName DstPort

Dedup on multiple fields but count the instance, and display as new field.

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Dedup on multiple fields but count the instance, and display as new field.

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!