Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count by mvexpand field result

cowmanchiang
Engager
‎07-15-2013 09:08 PM

Now I have a table about id and ip, like this.

ID      IP

AA    1.1.1.1

AA    1.1.1.1

AA    1.1.1.2

AA    1.1.1.3

AA    1.1.1.3

AA    1.1.1.3

BB    1.1.2.1

BB    1.1.2.1

BB    1.1.2.1

Because I want to get the result, it will be sorted by totalcount first, like this

ID     IP             count     totalcount

AA   1.1.1.3       3           6

AA   1.1.1.1       2           6

AA   1.1.1.2       1           6

BB   1.1.2.1       3           3

I use "sourcetype="mail" [search sourcetype="mail" | top id | table id] | stats count, values(ip) by id | sort - count | rename count as totalcount | mvexpand ip | table id, ip, totalcount"

It will get

ID     IP             totalcount

AA   1.1.1.3       6

AA   1.1.1.1       6

AA   1.1.1.2       6

BB   1.1.2.1       3

How to get the count by each id, ip?
Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-15-2013 11:01 PM

Probably easier to do:

sourcetype="mail" [search sourcetype="mail" | top id | table id] | stats count by id,ip | eventstats count as totalcount by id

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-15-2013 11:01 PM

Probably easier to do:

sourcetype="mail" [search sourcetype="mail" | top id | table id] | stats count by id,ip | eventstats count as totalcount by id
Reply
Solved! Jump to solution

cowmanchiang
Engager
‎07-15-2013 11:12 PM

Thanks, it's useful to me.
I also edit it to
sourcetype="mail" [search sourcetype="mail" | top id | table id] | stats count by id,ip | eventstats sum(count) as totalcount by id

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...