So I have events which have the following fields that I would like to sort by:
app, dst_ip, bytes
Preferably I would want to display them in a table such as:
web-browsing I'M.A.DST.IP 1571453
I'M.A.DST.IP 71453
I'M.A.DST.IP 1453
skype I'M.A.DST.IP 1412345
gmail-base I'M.A.DST.IP 1012345
I'M.A.DST.IP 212345
ssl I'M.A.DST.IP 612345
I'M.A.DST.IP 123456
I'M.A.DST.IP 12345
I'M.A.DST.IP 1234
The sort function would be preferably be having these apps sorted via "-bytes" but also showing a breakout of associated dst_ips and their respective bytes count under each app (again sorted via -bytes). I am hoping this is possible via the search language whether it is with table or any other data formatting command. I recall stumbling across a grouping command before and I can't seem to find it again.
Thank you for any help/assistance on this.
Sincerely,
Alex
It's the stats
command you're looking for. stats can perform any number of statistical operations, and it can run them for each value of a single field, or for each unique combination of multiple fields. In your case I think you want:
<your search> | stats sum(bytes) as bytes by app, dst_ip | sort - app bytes
Note that I'm doing a double sort with the sort
command, to give you the primary and secondary sorting that you're looking for.
http://www.splunk.com/base/Documentation/latest/SearchReference/Stats
http://www.splunk.com/base/Documentation/latest/SearchReference/Sort
It's the stats
command you're looking for. stats can perform any number of statistical operations, and it can run them for each value of a single field, or for each unique combination of multiple fields. In your case I think you want:
<your search> | stats sum(bytes) as bytes by app, dst_ip | sort - app bytes
Note that I'm doing a double sort with the sort
command, to give you the primary and secondary sorting that you're looking for.
http://www.splunk.com/base/Documentation/latest/SearchReference/Stats
http://www.splunk.com/base/Documentation/latest/SearchReference/Sort
That is just what I was looking for. I agree it will potentially make it difficult if it is presented across multiple pages, I appreciate having the options for layout though.
Thank you very much for your help!
Sure. You can tack this onto the end:
" | streamstats current=f last(app) as previousApp | eval app=if(match(app,previousApp),"",app)| fields - previousApp"
However note that if your table is split across multiple pages this could get quite confusing for your users.
Nice hack.. But I wish Splunk brings a simple XML "mergecell" table option
Thanks, this is working wonderfully.
I was wondering though, is there a way to only show the app name for the first entry of each section of IPs/bytes? This would be preferred for presentation.