Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Top Url by place for summary indexing

o_calmels
Communicator
‎01-18-2013 08:22 AM

Hi, I found on this forum the following search : top 10 URL for top 10 Users.

I modify this search to comply with my bluecoat Logs (get top 10 URL (dest_host) for top all organisme):

sourcetype="bcoat_proxysg" filter_result!="DENIED"  http_response=200 http_content_type="text/html| eventstats count AS total by organisme | stats count first(total) AS total BY organisme dest_host | sort - count | stats list(count) AS count list(dest_host) AS url first(total) AS total by organisme | sort - total | fields - total | eval url=mvindex(url, 0, 30)| eval count=mvindex(count, 0, 30)g

My problem is that the result is grouped by organisme : Each result line is containing one time the organisme name and the 30 entries for each URL:

I would like to get on each single line every information

Result#1 = organisme 1 URL1

Result#2 = organisme 1 URL2

Result#3 = organisme 1 URL3

Result#4 = organisme 1 URL4

...
Result#X = organisme 2 URL1

Result#X = organisme 2 URL2

Result#X = organisme 2 URL3

Result#X = organisme 2 URL4

...

My aim is to populate a summary indexing on with I will generate Web activity for every organisme each month.

Thanks a lot.

Olivier.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

o_calmels
Communicator
‎02-26-2013 06:24 AM

I found my answer. If it can help :

sourcetype="bcoat_proxysg" filter_result!="DENIED" http_response=200 http_content_type="text/html" | top category limit=20 by organisme

So simple that I lose mysefl searching a very dificult querry !

Olivier

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...