Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with using table and stats to produce query output

ebailey
Communicator
‎09-24-2013 02:07 PM

I need to take the output of a query and create a table for two fields and then sum the output of one field. The two fields are already extracted and work fine outside of this issue.

For example

eventtype=test-prd Failed_Reason="201" hoursago=4 | stats count by Failed_User | table Failed_User,count

works perfectly

I get a list of Failed_User with a count of how many times the field occurred in the query.

The problem is when I try to add the second field to the table

eventtype=test-prd Failed_Reason="201" hoursago=4 | stats count by Failed_User | table Failed_User,count,IP_ADDR

I get the same table as above but with no data under the column for IP_ADDR

How do I carry the data from the extracted field to fill in the column under IP_ADDR?

Every event with Failed_User also contains IP_ADDR

Thanks

Ed

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-24-2013 03:57 PM

The stats command produces a statistical summarization of data. The reason your IP_ADDR field doesn't appear in your table command is because stats summarized your primary search into a smaller result set containing only a count for each value of Failed_User. What you might do is use the values() stats function to build a list of IP_ADDR for each value of Failed_User

eventtype=test-prd Failed_Reason="201" hoursago=4 
| stats count, values(IP_ADDR) as IP_ADDR by Failed_User 
| table Failed_User,count,IP_ADDR

Note - I am not sure the table command provides anything useful in this example.

View solution in original post

Reply
Solved! Jump to solution

sawgata12345
Path Finder
‎05-21-2018 04:42 AM

eventtype=test-prd Failed_Reason="201" hoursago=4
| stats count, IP_ADDR by Failed_User
| table Failed_User,count,IP_ADD

even without values(IP_ADDR) works as above

Similar kind of output from access.log
source="access.log" host="cisco-virtual-machine" index="testaccess1" sourcetype="access_combined_wcookie" status=404|stats count by status,clientip | table count,status,clientip

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎09-24-2013 03:57 PM

The stats command produces a statistical summarization of data. The reason your IP_ADDR field doesn't appear in your table command is because stats summarized your primary search into a smaller result set containing only a count for each value of Failed_User. What you might do is use the values() stats function to build a list of IP_ADDR for each value of Failed_User

eventtype=test-prd Failed_Reason="201" hoursago=4 
| stats count, values(IP_ADDR) as IP_ADDR by Failed_User 
| table Failed_User,count,IP_ADDR

Note - I am not sure the table command provides anything useful in this example.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎09-25-2013 11:59 AM

Awesome. Could you please click the checkbox to the left to mark the answer as correct? Thanks.

0 Karma
Reply
Solved! Jump to solution

mendesjo
Path Finder
‎07-01-2016 06:14 PM

great explanation, I get it.. but I tried that values() suggestion with no luck.

0 Karma
Reply
Solved! Jump to solution

ebailey
Communicator
‎09-24-2013 08:23 PM

perfect thanks for explaining how stats works. Your explanation is the best I have read.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...