Splunk Search

How do I add a field to my chart?

ttoine
Explorer

I am working on a graph in order to identify the most pinging customer accounts (traffic optimization, security). I would like to add the field clientip (relative to the customer-account, of course) in another column.

The top would be to have the graph, and when I pass the mouse over a bar, it should display the customer-account and the clientip. But if I can have at least the graph and the data below, that would be good enough.

| chart count BY customer-account | sort -count |head 50

I tried many ways, but I have an error, or no match. I don't see how to do that. Is it possible?

Tags (2)
0 Karma
1 Solution

ttoine
Explorer

So I did it this is way to have the column I want.

| chart mode(clientip) AS ip_adress, count BY customer-account | sort -count | head 50

I use mode in case a customer account have more than one clientip in the events. (e.g someone using a smartphone or a laptop).

Now I need to find how to keep clientip in the statistics, but remove it from the visualization (or display it in an other way. But this is another question.

View solution in original post

0 Karma

ttoine
Explorer

So I did it this is way to have the column I want.

| chart mode(clientip) AS ip_adress, count BY customer-account | sort -count | head 50

I use mode in case a customer account have more than one clientip in the events. (e.g someone using a smartphone or a laptop).

Now I need to find how to keep clientip in the statistics, but remove it from the visualization (or display it in an other way. But this is another question.

0 Karma

somesoni2
Revered Legend

Give this a try

your base search | eval customer-account='customer-account'.":".clientip  | chart count BY customer-account | sort -count |head 50

OR

your base search | chart count over customer-account by clientip | addtotals | sort -Total | head 50
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...