Solved: Splunk Condition Search

MM0071 · ‎10-13-2023

Let's say im running a search where I want to look at domains traveled to.

index=web_traffic sourcetype=domains domain IN ("*.com", "*.org*", "*.edu*")

I want to do a count on how domains that have appeared less than 5 times over the search period. How can I accomplish this? I know I could do a

stats count by domain

but after that, I'm unable to grab the rest of the results in the index such as time, etc.

richgalloway · ‎10-13-2023

The stats command is transforming, which means only the fields referenced in it are available to subsequent commands. In this case, they would be count and domain. To make other fields available, include them in stats.

| status count, values(*) as * by domain

Note that fields other than count and domain may be multi-valued and so may require special handling using mv* functions.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-13-2023

The stats command is transforming, which means only the fields referenced in it are available to subsequent commands. In this case, they would be count and domain. To make other fields available, include them in stats.

| status count, values(*) as * by domain

Note that fields other than count and domain may be multi-valued and so may require special handling using mv* functions.

---
If this reply helps you, Karma would be appreciated.

MM0071 · ‎10-13-2023

Thank you so much for the help. Can you explain to me what the follow line means?

values(*) as *

richgalloway · ‎10-13-2023

values(*) as * means take the values of all other fields and put them into fields by the same name. So each field that existed before stats will exist after it, but possibly with more than one value in each.

---
If this reply helps you, Karma would be appreciated.

PickleRick · ‎10-13-2023

It's a way of telling Splunk to rename the fields.

Normally if you just do

| stats values(*)

it will name the resulting fields values(fielda), values(fieldb), values(fieldc) and so on. If you just want to see what those values are that's no problem but that's not very convenient to work with such fields later. So if you do

| stats values(*) as *

The resulting mutivalued fields will be named the same as the original fields which you are summarizing were so instead of values(fielda) you'll still have fielda.

MM0071 · ‎10-13-2023

Gotcha. So how can I implement logic so only show domains that show up 5 or less times?

PickleRick · ‎10-13-2023

You have the count field so you can use the where command to filter the events.

MM0071 · ‎10-13-2023

Is it as simple as:

| stats count, values(*) as * by domain < 5

I get an error trying to do

| where stats count, values(*) as * by domain < 5

PickleRick · ‎10-13-2023

No. Don't try to squeeze everything into one command 🙂

| stats count, values(*) as * by domain

This will give you results groupped by domain.

So now you have to filter the results with another command.

| where count<=5

And you're home.

MM0071 · ‎10-16-2023

thank you. much appreciated.

Splunk Condition Search

eval

fields

stats

tstats

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio