Solved: Dedup on multiple fields but count the instance, a...

kearnwl · ‎12-02-2011

Original Data

SrcIP       SrcName     DstIP       DstName         DstPort 
192.168.1.1 bob.net.net 172.16.16.1 alice.net.net   21
192.168.1.1 bob.net.net 172.16.16.1 alice.net.net   21

Data that I would like to Display

SrcIP           SrcName     DstIP       DstName     DstPort     Count
192.168.1.1     bob.net.net 172.16.16.1 alice.net.net   21      2

Ayn · ‎12-02-2011

... | stats count by SrcIP SrcName DstIP DstName DstPort

View solution in original post

kearnwl · ‎12-02-2011

Ok... wow, that was much easier than I thought. Thanks for helping me, and making me feel more than a little silly.

Ayn · ‎12-02-2011

No problem 🙂 That's often the case with Splunk - seemingly difficult task can be solved surprisingly easy by finding the right command and arguments!

Could you please mark my answer as accepted? Thanks!

Ayn · ‎12-02-2011

... | stats count by SrcIP SrcName DstIP DstName DstPort

Dedup on multiple fields but count the instance, and display as new field.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation