×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
dkotowsk
Engager
Member since: ‎01-30-2018
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎01-30-2018
Activity Feed
View All

Re: How to create a stats count by aggregating mul...

by in Splunk Search
‎01-30-2018 12:31 PM
1 Karma
‎01-30-2018 12:31 PM
1 Karma
You can try something like this, though there may be a more efficient way to do it. <Base Search> | eval addr=saddr+":"+daddr | makemv delim=":" addr | mvexpand addr | stats count by addr Basically, you combine the source and destination addresses together and make that a multi-valued field, expand out those values so there's an event for each value, then use stats to group by those new values. ... View more

Re: Different time-frames for different indices/pa...

by in Dashboards & Visualizations
‎01-30-2018 12:49 PM
1 Karma
‎01-30-2018 12:49 PM
1 Karma
@dkotowsk, I would say using append, but there is sub-search limitation applicable. index=index_a earliest="30/01/18:00:00:00" latest="30/01/18:00:05:00" dest_ip="10.0.0.1" | append [search index=index_b earliest="30/01/18:10:00:00" latest="30/01/18:10:05:00" dest_ip="10.0.0.1"] Once you have data from two base searches what is it that you need to perform? See if you can use multisearch instead of append. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All