Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to stats count but get all values?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to stats count but get all values?
Here is the search I am trying to do and I hope I can explain this correctly....I am searching for dlp events where there are x events within a period of time for my testing I am using 1 hour...
index=epp "content threat" Policy="Content Aware Protection - Content Threat Detected"
`comment("Creating buckets of 10 minutes")`
| bin _time span=1h | stats count values(MatchedItem) by _time ClientUser, DestinationDetails, MatchedItem
| eval PotentialLeak=if(count >= 10, 1, 0)
| search PotentialLeak = 1
What I am trying to get out of this is a table of the following;
_time, ClientUser, DestinationDetails, MatchedItem etc
However, I only see one MatchedItem, not all of them for one user I know there is 12 but only see one of them.
Hope that explains it well enough and appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm surprised this works at all since the same field name is used in both the values function and in the by clause.
Note that values removes duplicates so if all 12 are the same then you will see only one. Consider using list or this alternative search.
index=epp "content threat" Policy="Content Aware Protection - Content Threat Detected"
```Creating buckets of 10 minutes```
| bin _time span=1h
| stats count values(MatchedItem) by _time ClientUser, DestinationDetails
| eval PotentialLeak=if(count >= 10, 1, 0)
| search PotentialLeak = 1
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh yeah, that is exactly what I am seeing now, when I try your search, I still only see the unique values. I will take a look at list
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @secphilomath1 ,
As per your search mentioned in the question, after the by clause, you are using the following terms,
_time ClientUser, DestinationDetails, MatchedItem
Here, since "MatchedItem" has been used after the by clause, its only looking for the values(MatchedItem) unique to every "MatchedItem", thus you only see one MatchedItem.
The correct search should be like following,
index=epp "content threat" Policy="Content Aware Protection - Content Threat Detected"
`comment("Creating buckets of 10 minutes")`
| bin _time span=1h
| stats count values(MatchedItem) by _time ClientUser, DestinationDetails
| eval PotentialLeak=if(count >= 10, 1, 0)
| search PotentialLeak = 1Hope this helps.
Kindly support the answer, if found helpful!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That has me much closer, thanks!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
