Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

stats count only showing 10 results

mcbradford
Contributor
‎10-12-2011 06:55 AM

This is my search....

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country

This will only show me a count of 10 for each country. How can I get the top count per country?

I saw something about limit=0, but I do not know where to put this???

Tags (2)
0 Karma
Reply

Drainy
Champion
‎10-12-2011 09:49 AM

mcbradford, I don't follow how your last post links to this. If you want to update your question then you need to click on the edit button on your original question, posting replies as answers only confuses matters 🙂 As below, what part of the results are wrong?

0 Karma
Reply

mcbradford
Contributor
‎10-12-2011 07:56 AM

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country, count, src_ip | search client_country!="United States" search client_country!=""| stats sum(count) by client_country | sort -sum(count)

Reply

mcbradford
Contributor
‎10-12-2011 07:43 AM

When I did this I get....

Error in 'top' command: The output count field conflicts with the input field 'count'. Use the 'countfield' option to specify a different name.

my search now is...

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | top count limit=1

but this errors

0 Karma
Reply

Drainy
Champion
‎10-12-2011 07:45 AM

hmm, see my updated answer

0 Karma
Reply

Drainy
Champion
‎10-12-2011 07:14 AM 
|top 100 src_ip

Change that to;

|top 100 src_ip limit=1 |

The limit field is part of the top command and can be changed to set how many top results you want to display.

Edit: Actually, you probably need to add to the end of your search;

| top count limit=1

Edit edit:

Ok, how about;

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | rename count AS cc_count | top cc_count limit=1

I haven't got Splunk running atm so this is just from memory, it may be a conflict between the counts so lets do a rename and top of that

0 Karma
Reply

Drainy
Champion
‎10-12-2011 07:52 AM

what part of the results are incorrect?

0 Karma
Reply

mcbradford
Contributor
‎10-12-2011 07:50 AM

no error - but the results are not correct

0 Karma
Reply

mcbradford
Contributor
‎10-12-2011 07:49 AM

Still does not work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...