Solved: Re: Search with 3 fields and count

manwin · ‎09-21-2010

I'm trying to create a table which shows the following: -

Domain Client_IP Client_User Count

www.google.com 192.168.1.100 manwin 5

www.spurs-sg.org 192.168.1.101 User2 10

I can get a table showing me

Domain Client_IP Count

by doing the following search

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP

but I can't find a way to add in the user.

ftk · ‎09-21-2010

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

View solution in original post

ftk · ‎09-21-2010

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

manwin · ‎09-21-2010

Thanks I've given it a tick. Thanks for your response.

ftk · ‎09-21-2010

Feel free to accept usable answers -- helps close out the question and makes the site more usable for new users especially. Thanks!

manwin · ‎09-21-2010

Thanks, I just tested with my sample data and it worked.......
Interestingly when I was testing the exact same command at my customer's location it did not give me any results.

Search with 3 fields and count

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Search with 3 fields and count

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases