Solved: counting combination of fields

a212830 · ‎02-27-2014

Hi,

How would I count a combination of fields in splunk? For example, I have a "from_ip_addr" and a "to_ip_addr" in an event, and I want to count unique combinations of those two.

somesoni2 · ‎02-27-2014

Try this

your base search | stats count by from_op_addr, to_ip_addr | stats count

View solution in original post

somesoni2 · ‎02-27-2014

Try this

your base search | stats count by from_op_addr, to_ip_addr | stats count

a212830 · ‎02-28-2014

Great. Thanks!

sssignals · ‎11-12-2017

It works for me! Thanks.

martin_mueller · ‎02-27-2014

Leave the final stats off the first suggestion to get this:

your base search | stats count by from_op_addr, to_ip_addr

a212830 · ‎02-27-2014

Thanks. Is there a way to get the combo's listed as well?

from_ip to_ip count

martin_mueller · ‎02-27-2014

Or this:

your base search | eval from_to = from_ip_addr.to_ip_addr | stats dc(from_to)

counting combination of fields

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes