Splunk Search

How to create a table with raw events after stats?

jwalzerpitt
Influencer

I am running the following search looking for a user who logins in from multiple cities within a five minute time period.

index=foo
| bin span=5m _time 
| dedup src 
| iplocation src 
| stats count by _time City src user 
| sort -count 
| stats list(_raw) as event, values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user 
| where City_Count > 3
| sort -Total 
| table _time user City IP

Is there a way to add syntax to create a table at the end of the search that lists the raw events associated with any of the results returned?

Thx

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi jwalzerpitt,
I think that add the raw events to this table give less readabilty to the panel, I suggest to create a new panel down or on the right of this panel where open the raw events for each user.
You can create a drilldows in dashboard, so when you click on a row of this panel you open a different panel with all the events od that user.
To understand how to do this see the example "In-page Drilldown with Perma-Linking" in Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) .

bye.
Giuseppe

jwalzerpitt
Influencer

Giuseppe,

Thx for the reply and link to the "In-page Drilldown with Perma-Linking" report/search. I will check that out.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

jwalzerpitt
Influencer

Thx Rich

On a separate note, will the | bin span=5m _time get me a cluster of events within a 5 minute period, or do I need to leverage the transaction command?

Thx again

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It depends on what you want to accomplish. This should be a separate question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

jwalzerpitt
Influencer

Thx - will post as a separate question

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...