Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Top Url by place for summary indexing

o_calmels
Communicator
‎01-18-2013 08:22 AM

Hi, I found on this forum the following search : top 10 URL for top 10 Users.

I modify this search to comply with my bluecoat Logs (get top 10 URL (dest_host) for top all organisme):

sourcetype="bcoat_proxysg" filter_result!="DENIED"  http_response=200 http_content_type="text/html| eventstats count AS total by organisme | stats count first(total) AS total BY organisme dest_host | sort - count | stats list(count) AS count list(dest_host) AS url first(total) AS total by organisme | sort - total | fields - total | eval url=mvindex(url, 0, 30)| eval count=mvindex(count, 0, 30)g

My problem is that the result is grouped by organisme : Each result line is containing one time the organisme name and the 30 entries for each URL:

I would like to get on each single line every information

Result#1 = organisme 1 URL1

Result#2 = organisme 1 URL2

Result#3 = organisme 1 URL3

Result#4 = organisme 1 URL4

...
Result#X = organisme 2 URL1

Result#X = organisme 2 URL2

Result#X = organisme 2 URL3

Result#X = organisme 2 URL4

...

My aim is to populate a summary indexing on with I will generate Web activity for every organisme each month.

Thanks a lot.

Olivier.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...