Splunk Search

How To List A Column Value Once in a Table?

skoelpin
SplunkTrust
SplunkTrust

I'm doing a project to detect click fraud. I created several extractions to take out the IP address, Web Request from that IP address, and the Browser they used from multiple indexes within Splunk. I put them in a table which is showing correctly but have one last issue explained below

I currently have the same IP listed multiple times throughout the table with its web requests. I need to only list that IP Address one time with all the web requests. How can I go about making that IP address distinct to where it lists only once?

I need all occurrences of the web requests tied to that IP to also be listed.. BONUS, how do I add another column counting the number of times that IP occurs?

Here's my search

index=access OR index=main | transaction RTG_JSession   | table  RTG_IPmain RTG_WebRequest RTG_Browser | where isnotnull(RTG_IPmain)
Tags (3)
0 Karma
1 Solution

jnussbaum_splun
Splunk Employee
Splunk Employee

try index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(count) as count by RTG_IPmain

View solution in original post

jnussbaum_splun
Splunk Employee
Splunk Employee

try index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(count) as count by RTG_IPmain

skoelpin
SplunkTrust
SplunkTrust

This is close to what I was looking for, but the Browser got stripped from the table results. It successfully added the count column, but its giving a value of 1 for each web request. I need to sum the values for the number of times the IP occurred in the logs

0 Karma

jnussbaum_splun
Splunk Employee
Splunk Employee

Added the RTG_Browser in: index=access OR index=main | transaction RTG_JSession | search RTG_IPmain!="" | stats count by RTG_IPmain, RTG_WebRequest, RTG_Browser | sort -count | stats list(RTG_WebRequest) as WebRequest, list(RTG_Browser) as RTG_Browser, list(count) as count by RTG_IPmain, sum(count) as total by RTG_IPmain

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...