Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How To List A Column Value Once in a Table?

skoelpin
SplunkTrust
SplunkTrust
‎07-17-2015 07:23 AM

I'm doing a project to detect click fraud. I created several extractions to take out the IP address, Web Request from that IP address, and the Browser they used from multiple indexes within Splunk. I put them in a table which is showing correctly but have one last issue explained below

I currently have the same IP listed multiple times throughout the table with its web requests. I need to only list that IP Address one time with all the web requests. How can I go about making that IP address distinct to where it lists only once?

I need all occurrences of the web requests tied to that IP to also be listed.. BONUS, how do I add another column counting the number of times that IP occurs?

Here's my search 

index=access OR index=main | transaction RTG_JSession   | table  RTG_IPmain RTG_WebRequest RTG_Browser | where isnotnull(RTG_IPmain)
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎07-17-2015 07:44 AM

try index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(count) as count by RTG_IPmain

View solution in original post

Reply
Solved! Jump to solution
Solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎07-17-2015 07:44 AM

try index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(count) as count by RTG_IPmain

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-17-2015 08:45 AM

This is close to what I was looking for, but the Browser got stripped from the table results. It successfully added the count column, but its giving a value of 1 for each web request. I need to sum the values for the number of times the IP occurred in the logs

0 Karma
Reply
Solved! Jump to solution

jnussbaum_splun
Splunk Employee
Splunk Employee
‎07-17-2015 09:04 AM

Added the RTG_Browser in: index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(RTG_Browser) as RTG_Browser, list(count) as count by RTG_IPmain, sum(count) as total by RTG_IPmain

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...