Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Top Url by place for summary indexing

o_calmels
Communicator
‎01-18-2013 08:22 AM

Hi, I found on this forum the following search : top 10 URL for top 10 Users.

I modify this search to comply with my bluecoat Logs (get top 10 URL (dest_host) for top all organisme):

sourcetype="bcoat_proxysg" filter_result!="DENIED"  http_response=200 http_content_type="text/html| eventstats count AS total by organisme | stats count first(total) AS total BY organisme dest_host | sort - count | stats list(count) AS count list(dest_host) AS url first(total) AS total by organisme | sort - total | fields - total | eval url=mvindex(url, 0, 30)| eval count=mvindex(count, 0, 30)g

My problem is that the result is grouped by organisme : Each result line is containing one time the organisme name and the 30 entries for each URL:

I would like to get on each single line every information

Result#1 = organisme 1 URL1

Result#2 = organisme 1 URL2

Result#3 = organisme 1 URL3

Result#4 = organisme 1 URL4

...
Result#X = organisme 2 URL1

Result#X = organisme 2 URL2

Result#X = organisme 2 URL3

Result#X = organisme 2 URL4

...

My aim is to populate a summary indexing on with I will generate Web activity for every organisme each month.

Thanks a lot.

Olivier.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...