...ddress" by user|sort -Count
I want to rename theuser column to "User". I'm particular and like my words/heading capitalized. I've tried:
index=[my index] sourcetype=[my sourcetype] event=login_fail|stats...
New to Splunk and experimenting a couple of functionalities, especially data aggregation With the experimental file app_usage.csv, I was trying to see the percentile of Webmail using |i...
...d with thestatscommand. Each time you
invoke thestatscommand, you can use more than one function;
however, you can only use one by clause. For a complete list of statsfunctions with d...
I might be going to deep here but I figured I'd give it shot...
I have a statscommand keying off of a domain name. I have the values() of the uri's in thestatscommand as well:
| stats v...
Hi,
We are using Splunk version 5.0.4 in our application. In order to bucket our data and display the buckets in proper order, we usethe chart commandandthen take substr of the field. The f...
...earch web UI like this :
index=my_index | head 1000 | iptoas asdataorigin=Ip | stats count by ASCountry
My problem is that in order to use my custom command with thestatscommand, I need to run the...
...rite my queries to tstats, and I think what I tried to do here is in line with the recommendations, i.e. I repeated the same functions in thestatscommand that I use in tstats andused the same BY c...
...OME_OTHER_FIELD==C),SOME_FIELD,0))) as SOME_TOTAL
But if I search like this, it doesn't:
index=SOME_INDEX | stats sum(eval(if(eventtype==SOME_EVENT,SOME_FIELD,0))) as SOME_TOTAL
For the sake of c...