Hi, i have a report where i show top 50 404s by uri as shown below. Now i want to get the top referer for each URI in the same report. is it possible?
URI COUNT %
XXX 50 50%
YYY 25 25%
ZZZ 25 25%
output should have
URI COUNT % Referer Referercount REferer%
XXX 50 50%
YYY 25 25%
ZZZ 25 25%
yoursearch | top uri | join uri [search yoursearch | top uri referrer | eval referer_count=count | eval referer_percent=percent] | table uri count percent referrer referer_count referer_percent
Here's an approach to keep things within one search:
your search yielding 404 events | stats c by uri referer | eventstats max(c) as max sum(c) as count by uri | where max==c | fields - max c
You may want to sort, calculate percentages, and cut after the first n results afterwards to look similar to top.
Note: This does not handle cases where the top referers for one uri have equal counts. If that's important for you you can insert a ... | streamstats count as number by uri referer | where number==1 | fields - number
at the end.
yoursearch | top uri | join uri [search yoursearch | top uri referrer | eval referer_count=count | eval referer_percent=percent] | table uri count percent referrer referer_count referer_percent
Thank you all for your inputs
You can try:
|top limit=50 uri |append [yoursearch |top top limit=50 referer by uri]
I've not tried this, but in theory it should work.
Right, you want to maintain the numbers for both. I updated the answer.
that will give me top referers but i want to get top uris for 404s and then for those uris i need top referers