Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count each tupple values by day of the week

nishan_perera
Explorer
‎11-17-2014 02:42 PM

I got a query like this,

%asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats values(denyTuppleValue),count(denyTuppleValue) by date_wday

Result

date_wday   values(denyTuppleValue) count(denyTuppleValue)
wednesday   xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx   520
                     xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
                    xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
    thursday  xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx   10
                   xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx
                  xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx

But i need to get the count for each denyTuppleValue not the count for the day. Which would look like

date_wday   values(denyTuppleValue) count(denyTuppleValue)
wednesday   xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx   110
           xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx      20
            xx.xxx.xxx.xxx-xxx.xx.xxx.x-xx     130

Any ideas would be much apprecieated.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-17-2014 03:48 PM

Give this a try

 %asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats count(denyTuppleValue) as count by date_wday,denyTuppleValue | stats values(denyTuppleValue) values(count) by date_wday

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-17-2014 03:48 PM

Give this a try

 %asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats count(denyTuppleValue) as count by date_wday,denyTuppleValue | stats values(denyTuppleValue) values(count) by date_wday
Reply
Solved! Jump to solution

nishan_perera
Explorer
‎11-17-2014 04:13 PM

this is also works, but you need to click the day inorder to go to the view i want. but yeah i can reuse your query to get the values i'm after and saving into a CSV file. thanks for the help

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-17-2014 03:33 PM

You can even leave off the values(denyTuppleValue) when grouping by that very field.

0 Karma
Reply
Solved! Jump to solution

nishan_perera
Explorer
‎11-17-2014 04:11 PM

true , i should get rid of that

0 Karma
Reply
Solved! Jump to solution

musskopf
Builder
‎11-17-2014 03:27 PM

What happen if you change your search to:

%asa deny OR denied | eval dest_port = if(isnum(dest_port),dest_port,00)| eval denyTuppleValue = src_ip."-".dest_ip."-".dest_port | stats values(denyTuppleValue),count(denyTuppleValue) by date_wday, denyTuppleValue
0 Karma
Reply
Solved! Jump to solution

nishan_perera
Explorer
‎11-17-2014 04:11 PM

this works , but the day get repeated for each value. but i think this is what i after. Cheers for the help

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...