Splunk Search

How to edit my search to display a list of values in a single field?

Phoenie1
Engager

I've been looking through here for some time without success. My situation is this. I'm trying to parse regular Apache logs, specifically using the "user" field (the login of the person extracting the data), the "Source" (we use Apache virtual servers, so we have multiple sources of data depending on which URL you use to get in, and the Source elements are the various log files for the virtual hosts), and the "File" field, which file they have extracted with their request. Every line of the original log has one entry for each of source, user, and file.

What I want to get out of Splunk is a chart ordered by Source, showing a list of each external login accessing that source and a count of how many times over the selected time range; plus a field with a list of all of the discrete files they pulled. I don't care about counting the individual files, I just want to know what they were; just a list ideally in one "cell" of data. What I came up with and is failing spectacularly is this:

status=200 host="apachea.int.us.com" | stats count by source, user | sort -source | stats values(file) by source,user |  table source user count file

Any help would be hugely appreciated, I am a newbie.

Tags (4)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this

"status=200 host="apachea.int.us.com"  | stats count as accesscount values(file) as FilesPulled by source, user | sort 0 - source

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this

"status=200 host="apachea.int.us.com"  | stats count as accesscount values(file) as FilesPulled by source, user | sort 0 - source

Phoenie1
Engager

Thank you - that was humiliatingly simple.

somesoni2
SplunkTrust
SplunkTrust

Happy that it servers your purpose. Feed free to accept the answer if there are no followup questions.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...