Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I count and sum multivalue fields by another multivalue field?

Log_wrangler
Builder
‎12-20-2018 12:34 PM

Hi,

I am hitting a dead end with my search...

I have two multivalue fields:

Site_ID - has 100's of values
Attack - has 10 values

I want a report that shows the count of individual attacks and total attacks by Site_ID

Site_ID                     XSS         SQLi    Total by Site
my.site.com              10           12         24

I have been using this as a base search 

index=Firewall sourcetype=Firewall_logs
Attack = SQLi OR
Attack = xSS OR
| chart count over Site_ID by Attack

But I just cannot find the right syntax to produce the needed report.

Any help would be greatly appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2018 01:22 PM

The stats, chart, and timechart commands are all multi-value-safe so all that you need is a total column? That is cake, just add | addtotals row=t col=f fieldname="Total by Site". See this run-anywhere example:

index=_* 
| rename sourcetype AS Attack, host AS Site_ID 
| chart count OVER Site_ID BY Attack
| addtotals row=t col=f fieldname="Total by Site"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-20-2018 01:22 PM

The stats, chart, and timechart commands are all multi-value-safe so all that you need is a total column? That is cake, just add | addtotals row=t col=f fieldname="Total by Site". See this run-anywhere example:

index=_* 
| rename sourcetype AS Attack, host AS Site_ID 
| chart count OVER Site_ID BY Attack
| addtotals row=t col=f fieldname="Total by Site"
0 Karma
Reply
Solved! Jump to solution

Log_wrangler
Builder
‎12-20-2018 01:56 PM

Thanks, you're right... cake, forgot how to do it.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...