Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Top Url by place for summary indexing

o_calmels
Communicator
‎01-18-2013 08:22 AM

Hi, I found on this forum the following search : top 10 URL for top 10 Users.

I modify this search to comply with my bluecoat Logs (get top 10 URL (dest_host) for top all organisme):

sourcetype="bcoat_proxysg" filter_result!="DENIED"  http_response=200 http_content_type="text/html| eventstats count AS total by organisme | stats count first(total) AS total BY organisme dest_host | sort - count | stats list(count) AS count list(dest_host) AS url first(total) AS total by organisme | sort - total | fields - total | eval url=mvindex(url, 0, 30)| eval count=mvindex(count, 0, 30)g

My problem is that the result is grouped by organisme : Each result line is containing one time the organisme name and the 30 entries for each URL:

I would like to get on each single line every information

Result#1 = organisme 1 URL1

Result#2 = organisme 1 URL2

Result#3 = organisme 1 URL3

Result#4 = organisme 1 URL4

...
Result#X = organisme 2 URL1

Result#X = organisme 2 URL2

Result#X = organisme 2 URL3

Result#X = organisme 2 URL4

...

My aim is to populate a summary indexing on with I will generate Web activity for every organisme each month.

Thanks a lot.

Olivier.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...