Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

How to add the count of two different fields' values?

i111040d
New Member
‎06-20-2016 08:49 AM

For example:

|stats count by src_ip

src_ip count
1.1.1.1 100
2.2.2.2 200
3.3.3.3 300

|stats count by dst_ip

dst_ip count
1.1.1.1 200
2.2.2.2 300
3.3.3.3 400

On these conditions, I wan to create the table

ip_addr count
1.1.1.1 300
2.2.2.2 500
3.3.3.3 700

How can I create the table?

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution
Solution

Re: How to add the count of two different fields' values?

sundareshr
Legend
‎06-20-2016 09:59 AM

Assuming both fields exist on each event, try this

.... | eval ip=src_ip.",".dst_ip | makemv ip delim="," | mvexpand ip | stats count by ip

View solution in original post

0 Karma
Reply
Highlighted
Solved! Jump to solution

Re: How to add the count of two different fields' values?

i111040d
New Member
‎06-21-2016 07:46 AM

I could do it!
Thanks a lot bro 🙂

0 Karma
Reply