Solved: Dedup on multiple fields but count the instance, a...

kearnwl · ‎12-02-2011

Original Data

SrcIP       SrcName     DstIP       DstName         DstPort 
192.168.1.1 bob.net.net 172.16.16.1 alice.net.net   21
192.168.1.1 bob.net.net 172.16.16.1 alice.net.net   21

Data that I would like to Display

SrcIP           SrcName     DstIP       DstName     DstPort     Count
192.168.1.1     bob.net.net 172.16.16.1 alice.net.net   21      2

Ayn · ‎12-02-2011

... | stats count by SrcIP SrcName DstIP DstName DstPort

View solution in original post

kearnwl · ‎12-02-2011

Ok... wow, that was much easier than I thought. Thanks for helping me, and making me feel more than a little silly.

Ayn · ‎12-02-2011

No problem 🙂 That's often the case with Splunk - seemingly difficult task can be solved surprisingly easy by finding the right command and arguments!

Could you please mark my answer as accepted? Thanks!

Ayn · ‎12-02-2011

... | stats count by SrcIP SrcName DstIP DstName DstPort

Dedup on multiple fields but count the instance, and display as new field.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!