Splunk Search

How to get count of each source by IP ?

Vani_26
Path Finder

Query:
|tstats count where index=afg-juhb-appl   host_ip=*     source=*     TERM(offer)

i want to get the count of each source by host_ip as shown below.
output:

source11.56.67.1211.56.67.1511.56.67.1811.56.67.19
/app/clts/shift.logs987676789
/apps/lts/server.logs45456743
/app/mts/catlog.logs89896556
/var/http/show.logs12874365
Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I should have included source in the by clause.  Then you can use the xyseries command to rearrange the table.

 

|tstats count where index=afg-juhb-appl host_ip=* source=* TERM(offer) by source, host_ip
| xyseries source host_ip count

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

What does the current query give you?  Is the offer field indexed?

Have you tried grouping by host_ip?

|tstats count where index=afg-juhb-appl host_ip=* source=* TERM(offer) by host_ip
---
If this reply helps you, Karma would be appreciated.
0 Karma

Vani_26
Path Finder

hi @richgalloway 

1. What does the current query give you?  Is the offer field indexed?

No offrer  field is not an index field.

2. When i tried to use the below query i am getting the output as:

|tstats count where index=afg-juhb-appl host_ip=* source=* TERM(offer) by host_ip

host_ipcount
11.56.67.1245
11.56.67.1456


But i am not expecting this output.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I should have included source in the by clause.  Then you can use the xyseries command to rearrange the table.

 

|tstats count where index=afg-juhb-appl host_ip=* source=* TERM(offer) by source, host_ip
| xyseries source host_ip count

 

---
If this reply helps you, Karma would be appreciated.

Vani_26
Path Finder

Thank you @richgalloway  it worked

 

 

 

0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...