Splunk Search

Search with 3 fields and count

Path Finder

I'm trying to create a table which shows the following: -

Domain Client_IP Client_User Count

www.google.com 192.168.1.100 manwin 5

www.spurs-sg.org 192.168.1.101 User2 10

I can get a table showing me

Domain Client_IP Count

by doing the following search

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP

but I can't find a way to add in the user.

Tags (1)
0 Karma
1 Solution

Motivator

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

View solution in original post

Motivator

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

View solution in original post

Path Finder

Thanks I've given it a tick. Thanks for your response.

0 Karma

Motivator

Feel free to accept usable answers -- helps close out the question and makes the site more usable for new users especially. Thanks!

Path Finder

Thanks, I just tested with my sample data and it worked.......
Interestingly when I was testing the exact same command at my customer's location it did not give me any results.

0 Karma