Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to display output of the stats values function for two fields that have corresponding/related values

ezmo1982
Path Finder
‎12-18-2020 02:51 AM

Hi,

I have the below search:

| tstats values(Authentication.src_ip) as src_ip values(Authentication.src_host) as src_host
from datamodel=Authentication.Authentication where Authentication.user=*
by Authentication.dest, Authentication.action, Authentication.user, Authentication.app | `drop_dm_object_name("Authentication")`
| stats count(eval(action=="failure")) as failure, count(eval(action=="success")) as success, dc(dest) as dest_count, values(src_ip) as src_ip, values(src_host) as src_host

The search will display values of certain fields from the Authentication data model. Two of the fields have multivalues stored in them - Authentication.src. and Authentication.src_host. Authentication.src_host is a calculated eval field of the datamodel that performs a dns lookup of the Authentication.src field (which is an IP address)

The problem Im having is that the stats values command will display columns of the values of these two fields in alphanumeric order when I run the above search. Which basically means that the src value will not be displayed inline with its correct corresponding src_host value. From below example, src_host value for 10.1.1.1 is actually chost, but a_host is displayed alongside it as it is sorted alphanumerically.

src             src_host

10.1.1.1   a_host

10.1.1.2   b_host

10.1.1.3   c_host

Is there a way I can output the values of the src_host field with its corresponding correct value for the src field?

Thanks!

Labels (2)
Labels
Preview file
97 KB
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-18-2020 04:19 AM

stats list(src_ip) as src_ip rather than values will preserve the order although you could get duplicates. Alternatively, can you do the lookup of the hostname after the stats?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...