Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with using table and stats to produce query output

ebailey
Communicator
‎09-24-2013 02:07 PM

I need to take the output of a query and create a table for two fields and then sum the output of one field. The two fields are already extracted and work fine outside of this issue.

For example

eventtype=test-prd Failed_Reason="201" hoursago=4 | stats count by Failed_User | table Failed_User,count

works perfectly

I get a list of Failed_User with a count of how many times the field occurred in the query.

The problem is when I try to add the second field to the table

eventtype=test-prd Failed_Reason="201" hoursago=4 | stats count by Failed_User | table Failed_User,count,IP_ADDR

I get the same table as above but with no data under the column for IP_ADDR

How do I carry the data from the extracted field to fill in the column under IP_ADDR?

Every event with Failed_User also contains IP_ADDR

Thanks

Ed

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-24-2013 03:57 PM

The stats command produces a statistical summarization of data. The reason your IP_ADDR field doesn't appear in your table command is because stats summarized your primary search into a smaller result set containing only a count for each value of Failed_User. What you might do is use the values() stats function to build a list of IP_ADDR for each value of Failed_User

eventtype=test-prd Failed_Reason="201" hoursago=4 
| stats count, values(IP_ADDR) as IP_ADDR by Failed_User 
| table Failed_User,count,IP_ADDR

Note - I am not sure the table command provides anything useful in this example.

View solution in original post

Reply
Solved! Jump to solution

sawgata12345
Path Finder
‎05-21-2018 04:42 AM

eventtype=test-prd Failed_Reason="201" hoursago=4
| stats count, IP_ADDR by Failed_User
| table Failed_User,count,IP_ADD

even without values(IP_ADDR) works as above

Similar kind of output from access.log
source="access.log" host="cisco-virtual-machine" index="testaccess1" sourcetype="access_combined_wcookie" status=404|stats count by status,clientip | table count,status,clientip

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-24-2013 03:57 PM

The stats command produces a statistical summarization of data. The reason your IP_ADDR field doesn't appear in your table command is because stats summarized your primary search into a smaller result set containing only a count for each value of Failed_User. What you might do is use the values() stats function to build a list of IP_ADDR for each value of Failed_User

eventtype=test-prd Failed_Reason="201" hoursago=4 
| stats count, values(IP_ADDR) as IP_ADDR by Failed_User 
| table Failed_User,count,IP_ADDR

Note - I am not sure the table command provides anything useful in this example.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎09-25-2013 11:59 AM

Awesome. Could you please click the checkbox to the left to mark the answer as correct? Thanks.

0 Karma
Reply
Solved! Jump to solution

mendesjo
Path Finder
‎07-01-2016 06:14 PM

great explanation, I get it.. but I tried that values() suggestion with no luck.

0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎09-24-2013 08:23 PM

perfect thanks for explaining how stats works. Your explanation is the best I have read.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...