Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How To List A Column Value Once in a Table?

skoelpin
SplunkTrust
SplunkTrust
‎07-17-2015 07:23 AM

I'm doing a project to detect click fraud. I created several extractions to take out the IP address, Web Request from that IP address, and the Browser they used from multiple indexes within Splunk. I put them in a table which is showing correctly but have one last issue explained below

I currently have the same IP listed multiple times throughout the table with its web requests. I need to only list that IP Address one time with all the web requests. How can I go about making that IP address distinct to where it lists only once?

I need all occurrences of the web requests tied to that IP to also be listed.. BONUS, how do I add another column counting the number of times that IP occurs?

Here's my search 

index=access OR index=main | transaction RTG_JSession   | table  RTG_IPmain RTG_WebRequest RTG_Browser | where isnotnull(RTG_IPmain)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎07-17-2015 07:44 AM

try index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(count) as count by RTG_IPmain

View solution in original post

Reply
Solved! Jump to solution
Solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎07-17-2015 07:44 AM

try index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(count) as count by RTG_IPmain

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-17-2015 08:45 AM

This is close to what I was looking for, but the Browser got stripped from the table results. It successfully added the count column, but its giving a value of 1 for each web request. I need to sum the values for the number of times the IP occurred in the logs

0 Karma
Reply
Solved! Jump to solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎07-17-2015 09:04 AM

Added the RTG_Browser in: index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(RTG_Browser) as RTG_Browser, list(count) as count by RTG_IPmain, sum(count) as total by RTG_IPmain

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...