Splunk Search

Search with 3 fields and count

manwin
Path Finder

I'm trying to create a table which shows the following: -

Domain Client_IP Client_User Count

www.google.com 192.168.1.100 manwin 5

www.spurs-sg.org 192.168.1.101 User2 10

I can get a table showing me

Domain Client_IP Count

by doing the following search

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP

but I can't find a way to add in the user.

Tags (1)
0 Karma
1 Solution

ftk
Motivator

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

View solution in original post

ftk
Motivator

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

manwin
Path Finder

Thanks I've given it a tick. Thanks for your response.

0 Karma

ftk
Motivator

Feel free to accept usable answers -- helps close out the question and makes the site more usable for new users especially. Thanks!

manwin
Path Finder

Thanks, I just tested with my sample data and it worked.......
Interestingly when I was testing the exact same command at my customer's location it did not give me any results.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...