Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Proofpoint - Count occurrences AFTER Grouping via Transaction Command

RB5
Path Finder
‎06-11-2014 02:10 PM

There are log entries as seen below. When they are SEPARATE events, the following command works to count the # of occurrences of each type: index.... | stats count by type

type count
png 2
gif 3
pdf 1

But I need to use the transaction command in order to gather other information (like direction: inbound or outbound). Once I do so, via: index..... | transaction host,s,m maxspan=301s | stats count by type

such that it is now ONE EVENT, I get the results below, as if it is counting them distinctly. I want to get the results as above, the actual count of the occurrences of each.
Thanks.

type count
png 1
gif 1
pdf 1

Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image006.png type=png
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image007.png type=png
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image009.gif type=gif
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image010.gif type=gif
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file=image011.gif type=gif
Jun 7 00:50:15 lrdna0n2xepmx10 s=1mb0nj7xyk m=1 mod=mail cmd=attachment file="loan repayment.pdf" type=pdf

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

RB5
Path Finder
‎06-13-2014 05:03 PM

Using the max_match parm with the rex command worked. Pat myself on the back.

View solution in original post

Reply
Solved! Jump to solution

eckolp2003
Path Finder
‎10-11-2017 07:34 PM

Proofpoint now has a beta app that will allow you report on and visualze your Proofpoint Protection Server and TAP data! Check out the new app here:

https://splunkbase.splunk.com/app/3727/#/details

Be sure to follow the instructions listed in the details to get all the needed TA's etc that the app needs to work correctly.

There are pre-built dashboards to aid in searching for message events.

0 Karma
Reply
Solved! Jump to solution
Solution

RB5
Path Finder
‎06-13-2014 05:03 PM

Using the max_match parm with the rex command worked. Pat myself on the back.

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...