Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count total hits by certain fields?

echojacques
Builder
‎10-23-2013 08:58 AM

I've been playing around with eval, transaction, and stats and I still can't figure this one out... so I'm asking for help. This is a search for an IDS system and what I'm trying to do is to list the the number of total hits by src_ip and signature. This is an example of what I've tried:

sourcetype="IDS" | transaction src_ip signature | table src_ip signature hit_count | sort -hit_count

These are the results that I'm getting (the hit counts are not totaled up):

src_ip          signature       hit_count
1.1.1.1         attack-A        100
                                200
                                200

2.2.2.2         attack-B        100
                                100
                                100

1.1.1.1         attack-B        50
                                50

1.1.1.1         attack-C        20
                                30

2.2.2.2         attack-X        8
                                2

3.3.3.3         attack-A        3
                                2

And these are the results that I'm looking for:

src_ip          signature       hit_count
1.1.1.1         attack-A        500
2.2.2.2         attack-B        300
1.1.1.1         attack-B        100
1.1.1.1         attack-C        50
2.2.2.2         attack-X        10
3.3.3.3         attack-A        5

Does anyone know how to do this? Thanks.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jswanson
Explorer
‎10-23-2013 10:25 AM

You have to rename the statistic before you group by src_ip. Also, if you want the "signature" field in your table, you'll have to group by that field as well:
... | stats sum(hit_count) as hits by src_ip signature | table ...

View solution in original post

Reply
Solved! Jump to solution
Solution

jswanson
Explorer
‎10-23-2013 10:25 AM

You have to rename the statistic before you group by src_ip. Also, if you want the "signature" field in your table, you'll have to group by that field as well:
... | stats sum(hit_count) as hits by src_ip signature | table ...

Reply
Solved! Jump to solution

echojacques
Builder
‎10-23-2013 10:26 AM

That worked perfectly, thank you!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2013 09:42 AM

Perhaps something like this?

sourcetype="IDS" | transaction src_ip signature | stats sum(hit_count) by src_ip as hits | table src_ip signature hits | sort -hits
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-23-2013 10:05 AM

Try '... | stats sum(hit_count) by src_ip,signature as hits | ...'

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

echojacques
Builder
‎10-23-2013 09:45 AM

Hi, thanks for the suggestion but when I just tried it, it returned no results- 151 matching events & no matching fields exist.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...