Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sorting the stats values results by count, and include count in results

soundchaos
Path Finder
‎06-17-2014 08:18 AM

I am trying to get a search result that shows a single IP associated with all of its user agents, but I would like the IP's sorted by the overall amount of hits rather than sorted by numerical order. I would also like to be able to see the count of hits in the end result as well. Thanks in advance!

My current search:

index="logs" source="mywebsite.com" | stats values(cs_User_Agent_) as cs_User_Agent_ by c_ip

Right now it results:

IP: 11.00.00.00

User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...

IP: 22.00.00.00

User Agent: 1. Mozilla/5.0...

IP: 33.00.00.00

User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...
3. Mozilla/5.0...

I am looking to get results like:

IP: 64.00.00.00 - Count: 13451

User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...

IP: 109.00.00.00 - Count: 636

User Agent: 1. Mozilla/5.0...

IP: 72.00.00.00 - Count: 122

User Agent: 1. Mozilla/5.0...
2. Mozilaa/4.0...
3. Mozilla/5.0...

Tags (5)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2014 08:26 AM

Try something like this:

index="logs" source="mywebsite.com" | stats count values(cs_User_Agent_) as cs_User_Agent_ by c_ip

You'll get three fields - the IP, the count per IP, and the user agents.

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2014 08:26 AM

Try something like this:

index="logs" source="mywebsite.com" | stats count values(cs_User_Agent_) as cs_User_Agent_ by c_ip

You'll get three fields - the IP, the count per IP, and the user agents.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2014 08:56 AM

Keep the values(cs_User_Agent_) untouched. That way you get the distinct count and the values, sort by distinct count, throw away the distinct count.

Reply
Solved! Jump to solution

soundchaos
Path Finder
‎06-17-2014 08:54 AM

If I am doing it right, that lists just the number of agents used, instead of each individual agent? I was hoping to be able to sort exactly like this, except for showing the full text of each user agent, rather than just the number of how many. Sorry that I am using the comment for an entirely different question 😕

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎06-17-2014 08:44 AM

You can add dc(cs_User_Agent_) as dc to the stats and run | sort - dc | fields - dc at the end.

Reply
Solved! Jump to solution

soundchaos
Path Finder
‎06-17-2014 08:42 AM

Thanks! That was way easier than everything I have been trying for the last hour... Would you also have any ideas on how I might sort these results based on how many user agents each IP has, without changing the format of the results? I thought something like | sort -mvcount(cs_User_Agent_) might work, but it does not.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...