Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the sum of count on specific field name?

jwalzerpitt
Influencer
‎02-10-2015 01:26 PM

I have the following search query:

source="mysource" ImmediateAction=Block | geoip SourceIP | stats count by SourceIP_city, SourceIP_country_name | stats list(count) by SourceIP_city, SourceIP_country_name | sort by -list(count)

that produces:

alt text

How can I add/sum the SourceIP_country_name field to produce the following results:

Row Labels Sum of Count
United States 125703
China 100991
Ukraine 21944

Tags (3)
Preview file
22 KB
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-10-2015 01:58 PM

The search is a little strange, in that the second stats command will effectively be the same as | rename count as "list(count)"

To explain why, coming out of the first stats command, stats will guarantee that each row is a unique combination of SourceIP_city and SourceIP_country. Therefore for each combination of those two fields there will only be one count. Therefore when the second stats comes along and says "list all the counts for every combination", there will be exactly one. In other words normally list(foo) would give you a multivalued-field but in this case it never will. Each row will have only a single value for the count.

So... remove that second redundant stats clause. 

source="mysource" ImmediateAction=Block | geoip SourceIP | stats count by SourceIP_city, SourceIP_country_name | sort by -count

and to get a rollup of the whole thing by just SourceIP_country_name, the easiest way is to run: 

source="mysource" ImmediateAction=Block | geoip SourceIP | stats count by SourceIP_country_name | sort by -count

However, if for some reason you want to leave the stats command as it is in your base search, you could also just tack on | stats sum(count) as count by SourceIP_country_name | sort by -count, giving a full expression of: 

source="mysource" ImmediateAction=Block | geoip SourceIP | stats count by SourceIP_city, SourceIP_country_name | sort by -count

| stats sum(count) as count by SourceIP_country_name | sort by -count

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎02-10-2015 01:58 PM

The search is a little strange, in that the second stats command will effectively be the same as | rename count as "list(count)"

To explain why, coming out of the first stats command, stats will guarantee that each row is a unique combination of SourceIP_city and SourceIP_country. Therefore for each combination of those two fields there will only be one count. Therefore when the second stats comes along and says "list all the counts for every combination", there will be exactly one. In other words normally list(foo) would give you a multivalued-field but in this case it never will. Each row will have only a single value for the count.

So... remove that second redundant stats clause. 

source="mysource" ImmediateAction=Block | geoip SourceIP | stats count by SourceIP_city, SourceIP_country_name | sort by -count

and to get a rollup of the whole thing by just SourceIP_country_name, the easiest way is to run: 

source="mysource" ImmediateAction=Block | geoip SourceIP | stats count by SourceIP_country_name | sort by -count

However, if for some reason you want to leave the stats command as it is in your base search, you could also just tack on | stats sum(count) as count by SourceIP_country_name | sort by -count, giving a full expression of: 

source="mysource" ImmediateAction=Block | geoip SourceIP | stats count by SourceIP_city, SourceIP_country_name | sort by -count

| stats sum(count) as count by SourceIP_country_name | sort by -count

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎02-17-2015 07:54 AM

Figured the sort out, as I did the following:

| sort by SourceIP_country_name,-list(count)

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎02-17-2015 07:42 AM

Playing around I was able to sort by CountryName using the following:

| stats count by SourceIP_country_name, SourceIP_city | stats list(count) by SourceIP_country_name, SourceIP_city | sort by -list(SourceIP_country_name)

Is it possible to sort first by alphabetically, then numerically within the list?

Thx

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎02-17-2015 07:36 AM

Sorry for the delay in replying. Thx for the information, and the clarification on the search. How would I modify the search to show the Source_IP_country_name and then each SourceIP_city with its corresponding count? So we'd have:

CountryName CityName Couint
USA

Kansas City 100
Los Angeles 77
China
Beijing 45

Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...