Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I run a stats search to display a count and other fields by another field?

Makinde
New Member
‎02-02-2016 09:18 AM

How can I run the stats command to generate a count and display the count and other fields by another field. i.e

How do i get a display like;

Src_ip          dest_port       Count
10.1.34.5           25            3
                    30           67
10.64.34.8         443           34
                    80           25
                    56            9

I already have the search that generates the events with these fields, I just want to generate the display to look this way.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2016 10:14 AM

Try something like this

your current search giving single value table with Src_ip dest_port and count | stats list(*) as * by Src_ip

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎02-02-2016 10:14 AM

Try something like this

your current search giving single value table with Src_ip dest_port and count | stats list(*) as * by Src_ip
Reply
Solved! Jump to solution

Makinde
New Member
‎02-02-2016 12:56 PM

I guess i have to replace * with the fields I want right? How do I fill in the multiple fields because it's reporting an error also.

Using the * alone doesn't return any value.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-02-2016 01:09 PM

What is the search that you tried? The above one is assuming that you're already getting result in a table format with only the field Src_ip, dest_port, count. If that's not the case specify every field that you want to list, based on Src_ip.

...| stats list(dest_port) as dest_port list(count) as count by Src_ip
0 Karma
Reply
Solved! Jump to solution

Makinde
New Member
‎02-02-2016 09:35 AM

This display in the question didn't come out as well as I wanted it in the question above.

It is a table with columns Src Ip, dest_port and count. There is only one src_IP address for multiple dest_ports and count. I hope this explanation helps to visualize it.

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...