Splunk Search
Highlighted

## How to count each tupple values by day of the week

Explorer

I got a query like this,

``````%asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats values(denyTuppleValue),count(denyTuppleValue) by date_wday
``````

Result

``````date_wday   values(denyTuppleValue) count(denyTuppleValue)
wednesday   xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx   520
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
thursday  xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx   10
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
``````

But i need to get the count for each denyTuppleValue not the count for the day. Which would look like

``````date_wday   values(denyTuppleValue) count(denyTuppleValue)
wednesday   xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx   110
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx      20
xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx     130
``````

Any ideas would be much apprecieated.

Tags (3)
1 Solution
Highlighted

## Re: How to count each tupple values by day of the week

Builder

What happen if you change your search to:

``````%asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats values(denyTuppleValue),count(denyTuppleValue) by date_wday, denyTuppleValue
``````
Highlighted

## Re: How to count each tupple values by day of the week

Explorer

this works , but the day get repeated for each value. but i think this is what i after. Cheers for the help

Highlighted

## Re: How to count each tupple values by day of the week

SplunkTrust

You can even leave off the `values(denyTuppleValue)` when grouping by that very field.

Highlighted

## Re: How to count each tupple values by day of the week

Explorer

true , i should get rid of that

Highlighted

## Re: How to count each tupple values by day of the week

SplunkTrust

Give this a try

`````` %asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats count(denyTuppleValue) as count by date_wday,denyTuppleValue | stats values(denyTuppleValue) values(count) by date_wday
``````
Highlighted

## Re: How to count each tupple values by day of the week

Explorer

this is also works, but you need to click the day inorder to go to the view i want. but yeah i can reuse your query to get the values i'm after and saving into a CSV file. thanks for the help