Splunk search for multile counts

anlePRH · ‎02-03-2025

Hi all

Trying to work on something which currently shows a bunch of IP hits and counts against it, the current output is the last 2 hours

Query:
index=source sourcetype="source"
| stats count values(Hostname) by SourceIP
| sort by -count
| rename "count" to "Total count", "values(Hostname)" to "Hosts"

Output:
IP Count
100.100.100.100 5

I want to add a new column called "Last30days" that looks at the IP address found in column 1 and a count search for the last 30 days, so like above but another column for the last 30days, final output below.

IP Count Last30days
100.100.100.100 1 10

tried various variaitions but can't get it to work

gcusello · ‎02-03-2025

Hi @anlePRH ,

you could try something like this (to adapt to your requirement):

index=source sourcetype="source" 
| eval type=if(_time>now()-86400,"Today","Last30days")
| chart count OVER SourceIP BY type

Ciao.

Giuseppe

Splunk search for multile counts

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation

Splunk search for multile counts

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...