Splunk Search
Highlighted

Grouping results by count

Engager

I have a search that returns values in a table like this:

USERTIMEIPLocation
user1time1ip1loc1
user1time2ip1loc1
user2time2ip2loc2
user1time3ip3loc1
user3time3ip4loc4
user1time4ip4loc1



I want to search by grouped User Counts so I tried something like this:


...| stats Count by User values(User) values(Time) values(IP) values (Location)

Which gives me:

USERTIMEIPLocation
user1time1ip1loc1
time2ip3
time3
user2time2ip2loc2
user3time3ip4loc4
user1time4ip4loc1

What I'm really after is:

USERTIMEIPLocation
user1time1ip1loc1
time2ip3loc1
time3ip3loc1
user2time2ip2loc2
user3time3ip4loc4
user1time4ip4loc1

It looks like the stats command decouples the fields and reports the TIME IP and LOC based on a column perspective.
I checked around a bit and it looks like evenstats may get me closer, but haven't been able to get it to work either.

Can this be done in Splunk? If so, can someone point me in the right direction?
Thanks!

Tags (3)
0 Karma
Highlighted

Re: Grouping results by count

Legend

Uh, I don't see how your query can result in that output. I don't even see a count field in that table?

0 Karma
Highlighted

Re: Grouping results by count

Ultra Champion

I don't understand either. Your desired output has user1 in two places. Wouldn't you want to have them listed on a per user basis?

Could ...| stats values(TIME) values(IP) values(Location) by USER |...

be what you're after? Bear in mind that the resulting lists will be independently sorted.

Try list() instead of values() if you want all values, not just the distinct.

/K

Highlighted

Re: Grouping results by count

Splunk Employee
Splunk Employee

I guess I'm missing something too--but wouldn't the useful output be more like:

... | stats count by User,Time,IP,Location | ...

???

-tv

0 Karma
Highlighted

Re: Grouping results by count

Engager

Thanks for the quick replies!
Sorry, I did leave out the 'count' field ... and as for the 2 user1's, copy/paste isn't my friend.

The problem with list or value is exactly that: I get a list of the IPs in one column, a list of Times in the next with but no relationship between the values along the row.

I'm looking to create a list of connections (TIME + IP + LOC) for all of my users. If user1 makes 4 connections during the day, I can look at the display and read off the details of each of the connections.

Thanks again!

0 Karma
Highlighted

Re: Grouping results by count

Engager

Kristian was pointed me the correct direction, I was after:

...| stats Count by User list(User) list(Time) values(IP) list(Location)

Instead of:

...| stats Count by User values(User) values(Time) values(IP) values(Location)

I really thought that I'd tried that, Thanks!

0 Karma