Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

combining the results into one field

mcbradford
Contributor
‎10-07-2011 01:11 PM

My results are like...

src_ip           src_geo      count
55.89.12.11      US           25

I want the result to be like...

src_ip and src geo             count
55.89.12.11 - US               25

I want this so I can create a chart that shows the src_ip associated with a country and the count.

the src_ip and src_geo - I want this to be a new field

Tags (1)
Reply

mcbradford
Contributor
‎10-07-2011 01:34 PM

I figured it out.. 

direction="external" sourcetype="sidewinder" action=blocked src_geo="US" OR src_geo="CA" | eval src_ip_and_src_geo=src_ip." - ".src_geo | top src_ip_and_src_geo showperc=f
Reply

Ayn
Legend
‎10-07-2011 01:19 PM

Use eval to concatenate the field values together into a new field:

<yourbasesearch> | eval src_ip_and_src_geo=src_ip." - ".src_geo | stats count by src_ip_and_src_geo
Reply

mcbradford
Contributor
‎10-07-2011 01:28 PM

When I did this - my count was 1 for each, so I made a few changes..

direction="external" sourcetype="sidewinder" action=blocked src_geo="US" OR src_geo="CA" | top src_ip, src_geo showperc=f | eval src_ip_and_src_geo=src_ip." - ".src_geo | fields - src_ip fields - src_geo

This looks like I want it to, but it will not chart?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...