Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search to group by Country, City having count ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danje57
Path Finder
03-11-2015
06:51 AM
Hello,
I try to create stats to have all countries and cities that communicate with my servers.
I made this search:
sourcetype="syslog" deviceVendor="Apache" | iplocation ipVisitor | eval City= if(isnull(City) OR City="", "Unknown_City", City) | stats values(City) AS CityName, count by Country | sort - count
It give me in the first column the Country, then in the second column all cities in this country and in the last third column the total count.
I would like to have such thing instead:
Country name | Cities Name (count) | Total Count
United States | New York (5) | 10
| Boston (3) |
| Washington (2) |
France | Paris (10) | 12
| Marseille (2) | 2
I don't know how to do that to append the "(nbr)" to the City name
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-23-2015
11:00 AM
Here you go
sourcetype="syslog" deviceVendor="Apache" | iplocation ipVisitor | eval City= if(isnull(City) OR City="", "Unknown_City", City) | stats count by Country,City | eval City=City."(".count.")" | stats values(City) as CityName, sum(count) as "Total Count" by Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-23-2015
11:00 AM
Here you go
sourcetype="syslog" deviceVendor="Apache" | iplocation ipVisitor | eval City= if(isnull(City) OR City="", "Unknown_City", City) | stats count by Country,City | eval City=City."(".count.")" | stats values(City) as CityName, sum(count) as "Total Count" by Country
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danje57
Path Finder
03-24-2015
05:13 AM
Exactly that I need!
Many thanks!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
danje57
Path Finder
03-23-2015
07:11 AM
You mean using multikv?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tachifelix
Path Finder
03-23-2015
05:13 AM
i propose you to make multi-values fields for City and count. look how to use multi-values in search reference manual page 258
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
