Splunk Search

Drill down search command to aggregate stats list() count?


dear all

i have logs including fields src-ip,hit-count,attack-dst-ip, and etc.
if i wanna show results table as follows

src-ip, src-ip-city, sum(hit-count), seperate attack-dst-ip, seperate sum(hit-count) by attack-dst-ip Los Angles, 10,, 2
               , 3
               , 5

here src_ip may have different attack-dst-ip and its corrensponding sum of hit-count,
how can i do this?

i use following search

host="xxx" | fields * | geoip src-ip | where src-ip_countryname="xxx" | stats sum(hit-count), values(dst-ip), list(hit-count) by src-ip, src-ip-city

but list command will list all values rather than sum(hit-count) by previous attack-dst-ip,any good suggestions?thanks a lot.

0 Karma


Use stats count by (src_ip)

0 Karma


i think you might missunderstand what i mean. anyway,thanks

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!