Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Top Url by place for summary indexing

o_calmels
Communicator
‎01-18-2013 08:22 AM

Hi, I found on this forum the following search : top 10 URL for top 10 Users.

I modify this search to comply with my bluecoat Logs (get top 10 URL (dest_host) for top all organisme):

sourcetype="bcoat_proxysg" filter_result!="DENIED"  http_response=200 http_content_type="text/html| eventstats count AS total by organisme | stats count first(total) AS total BY organisme dest_host | sort - count | stats list(count) AS count list(dest_host) AS url first(total) AS total by organisme | sort - total | fields - total | eval url=mvindex(url, 0, 30)| eval count=mvindex(count, 0, 30)g

My problem is that the result is grouped by organisme : Each result line is containing one time the organisme name and the 30 entries for each URL:

I would like to get on each single line every information

Result#1 = organisme 1 URL1

Result#2 = organisme 1 URL2

Result#3 = organisme 1 URL3

Result#4 = organisme 1 URL4

...
Result#X = organisme 2 URL1

Result#X = organisme 2 URL2

Result#X = organisme 2 URL3

Result#X = organisme 2 URL4

...

My aim is to populate a summary indexing on with I will generate Web activity for every organisme each month.

Thanks a lot.

Olivier.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...