Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a table with raw events after stats?

jwalzerpitt
Influencer
‎09-19-2019 06:27 AM

I am running the following search looking for a user who logins in from multiple cities within a five minute time period.

index=foo
| bin span=5m _time 
| dedup src 
| iplocation src 
| stats count by _time City src user 
| sort -count 
| stats list(_raw) as event, values(City) as City, dc(City) as City_Count, values(src) as IP, sum(count) as Total by user 
| where City_Count > 3
| sort -Total 
| table _time user City IP

Is there a way to add syntax to create a table at the end of the search that lists the raw events associated with any of the results returned?

Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 06:47 AM

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2019 06:50 AM

Hi jwalzerpitt,
I think that add the raw events to this table give less readabilty to the panel, I suggest to create a new panel down or on the right of this panel where open the raw events for each user.
You can create a drilldows in dashboard, so when you click on a row of this panel you open a different panel with all the events od that user.
To understand how to do this see the example "In-page Drilldown with Perma-Linking" in Dashboard Examples App ( https://splunkbase.splunk.com/app/1603/ ) .

bye.
Giuseppe

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎09-19-2019 06:56 AM

Giuseppe,

Thx for the reply and link to the "In-page Drilldown with Perma-Linking" report/search. I will check that out.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 06:47 AM

The stats command discards the raw events and only returns the fields mentioned in its arguments. To retain the raw events, use eventstats or streamstats.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎09-19-2019 06:55 AM

Thx Rich

On a separate note, will the | bin span=5m _time get me a cluster of events within a 5 minute period, or do I need to leverage the transaction command?

Thx again

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-19-2019 07:23 AM

It depends on what you want to accomplish. This should be a separate question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎09-19-2019 07:26 AM

Thx - will post as a separate question

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...