Splunk Search

Grouping results in a table by IP address

stakor
Path Finder

I know I have bumped into this in the past, but I can think of a good keyword to do a search on...

I have a search that produces a list of IPs, most have multiple content categories associated with them. I want to create a table, where each IP is listed once, and all the content categories that are associated with that IP are listed with that IP. For example:

1.1.1.1 test1
1.1.1.1 test2
1.1.1.1 test3
1.1.1.2 test1

Would go into a table like:

1.1.1.1 test1
        test2
        test3

1.1.1.2 test1

I know that there is a way to cluster the results around the IP address. I just can't think of the right term to google. Anyone know what I should be searching for?

Tags (2)
0 Karma
1 Solution

starcher
Influencer

You can do | stats values(field) as field by ip

View solution in original post

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

I believe you are looking for something like this:

* |stats values(dest) by src

Do your search to get the data reduced to what you want and then do a stats command by the name of the field in the first column, but then do a values around the second column to get all the test1, test2, test3 values.

0 Karma

starcher
Influencer

You can do | stats values(field) as field by ip

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...