Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Group events based on content of field?

KMoryson
Explorer
‎11-16-2022 01:56 AM

I have the following table of activities:

Internal External Direction
1.1.1.1 2.2.2.2 Outbound
3.3.3.3 4.4.4.4 Inbound
5.5.5.5 4.4.4.4 Inbound
1.1.1.1 8.8.8.8 Outbound

 

I want to group them by either Internal OR External, based on what is in the Direction field, if its Outbound I want to group by Internal , if its Inbound I want to group by External, and get the count.
I would like to get the following table as a result:

Internal External Count Grouped by Direction
1.1.1.1 2.2.2.2
8.8.8.8		 2 1.1.1.1 Outbound
3.3.3.3
5.5.5.5		 4.4.4.4 2 4.4.4.4 Inbound


Thanks.

Labels (4)
Labels
0 Karma
Reply

FrankVl
Ultra Champion
‎11-16-2022 02:44 AM

So effectively you want to group by src_ip

...your existing query...
| eval src_ip = if(Direction="Outbound",Internal,External)
| stats values(Internal) as Internal values(External) as External count values(Direction) as Direction by src_ip
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-16-2022 02:07 AM

Try something like this

| eventstats values(Internal) as internals by External
| eventstats values(External) as externals by Internal
| eval groupby=if(Direction="Outbound",Internal,External)
| stats values(internals) as internals values(externals) as externals values(Direction) as Direction by groupby
| eval count=max(mvcount(internals), mvcount(externals))
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...