Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with subtotals in search

Akita881
New Member
‎07-03-2015 10:57 AM

Using the search below i get the results in the first table. I would like to show subtotals (in some fashion) like the second table below. Thanks in advance.

POST /profiles/login  
| rex ".*DY_ID=(?<User>(.*?));"
| stats count by clientip  | where  count > 50 
| appendcols [search POST /profiles/login 
    | rex ".*DY_ID=(?<Usergt;(.*?));" 
    |stats  dc(User) as UserCount,  values(User) as UserID,  count by clientip  | where  count > 50 ] 
| table count,clientip,UserCount,DynUser

count...............clientip............UserCount................UserID
...62.............11.111.111.11..............0

.107.............22.222.222.22...........18..................1051265912
............................................................................1051265912
............................................................................1276856930
............................................................................1389348513
............................................................................2710273231
............................................................................3195242289
............................................................................3203819132
.102.............33.333.33.333...........51..................5885625406
............................................................................5885625472
............................................................................5885625517
............................................................................5885625571
............................................................................5885625601

NEEDED:

count...............clientip............UserCount.................UserID............UserID Count
...62.............11.111.111.11..............0

.107.............22.222.222.22............7...................1051265912.................12
............................................................................1051265912.................10
............................................................................1276856930.................34
............................................................................1389348513.................22
............................................................................2710273231.................17
............................................................................3195242289...................8
............................................................................3203819132...................4
.102.............33.333.33.333............5...................5885625406.................31
............................................................................5885625472.................23
............................................................................5885625517.................16
............................................................................5885625571.................19
............................................................................5885625601.................13

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-03-2015 02:38 PM

Because "this post is awaiting moderation" I can't post an answer, only a comment.

Try this

POST /profiles/login  
| rex ".*DY_ID=(?<User>(.*?));"
| stats count by clientip User
| stats sum(count) as count dc(User) as UserCount list(User) as UserID list(count) as UserID_count by clientip
| where clientip_count > 50
| fields count clientip UserCount UserID_count UserID_count

You don't need a appendcols or a sub-search: this should be considerably faster.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-03-2015 02:38 PM

Because "this post is awaiting moderation" I can't post an answer, only a comment.

Try this

POST /profiles/login  
| rex ".*DY_ID=(?<User>(.*?));"
| stats count by clientip User
| stats sum(count) as count dc(User) as UserCount list(User) as UserID list(count) as UserID_count by clientip
| where clientip_count > 50
| fields count clientip UserCount UserID_count UserID_count

You don't need a appendcols or a sub-search: this should be considerably faster.

0 Karma
Reply
Solved! Jump to solution

Akita881
New Member
‎07-04-2015 03:08 PM

Thank you very much for the help.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎07-03-2015 04:20 PM

Should be all good now.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...