Solved: How To List A Column Value Once in a Table?

skoelpin · ‎07-17-2015

I'm doing a project to detect click fraud. I created several extractions to take out the IP address, Web Request from that IP address, and the Browser they used from multiple indexes within Splunk. I put them in a table which is showing correctly but have one last issue explained below

I currently have the same IP listed multiple times throughout the table with its web requests. I need to only list that IP Address one time with all the web requests. How can I go about making that IP address distinct to where it lists only once?

I need all occurrences of the web requests tied to that IP to also be listed.. BONUS, how do I add another column counting the number of times that IP occurs?

Here's my search

index=access OR index=main | transaction RTG_JSession   | table  RTG_IPmain RTG_WebRequest RTG_Browser | where isnotnull(RTG_IPmain)

jnussbaum_splun · ‎07-17-2015

View solution in original post

jnussbaum_splun · ‎07-17-2015

skoelpin · ‎07-17-2015

This is close to what I was looking for, but the Browser got stripped from the table results. It successfully added the count column, but its giving a value of 1 for each web request. I need to sum the values for the number of times the IP occurred in the logs

jnussbaum_splun · ‎07-17-2015

Added the RTG_Browser in: index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(RTG_Browser) as RTG_Browser, list(count) as count by RTG_IPmain, sum(count) as total by RTG_IPmain

How To List A Column Value Once in a Table?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?