Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need stats count per host and process_name

deckard1984
Engager
‎01-21-2025 05:18 AM

Right now a have a table list with fields populated where one process_name is repeating across multiples hosts with same EventID. 

index=main_sysmon sourcetype=xmlwineventlog process_exec=test EventCode=11 dest=hosts*
| strcat "Event ID: ", EventID " (" signature ")" timestampType
| strcat "EventDescription: " EventDescription " | TargetFilename: " TargetFilename " | User: " User activity 
| strcat EventDescription ": " TargetFilename " by " User details 
| eval attck = "N/A" 
| table Computer , UtcTime, timestampType, activity, Channel, attck, process_name

I want to have a total sum of counts per same host and process_name with all activity (or target file names listed under). For e.g

Computer | UTC | timestamp | activity     | process_name    | count       |
1                          | File list    | same - repeats  | missing value
2                          | File list    | same - repeats  | missing value

 

Labels (3)
Labels
0 Karma
Reply

deckard1984
Engager
‎01-21-2025 06:22 AM

Grazie. 

I used:

| stats count latest(_time) AS _time values(*) as * by Computer

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 07:37 AM

Hi @deckard1984 ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-21-2025 05:22 AM

Hi @deckard1984 ,

do you know the stats command (https://docs.splunk.com/Documentation/SCS/current/SearchReference/StatsCommandOverview)?

index=main_sysmon sourcetype=xmlwineventlog process_exec=test EventCode=11 dest=hosts*
| strcat "Event ID: ", EventID " (" signature ")" timestampType
| strcat "EventDescription: " EventDescription " | TargetFilename: " TargetFilename " | User: " User activity 
| strcat EventDescription ": " TargetFilename " by " User details 
| eval attck = "N/A" 
| stats 
     count
     latest(_time) AS _time
     values(activity) AS activity
     BY Computer process_name

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...