Splunk Search

stats count only showing 10 results

mcbradford
Contributor

This is my search....

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country

This will only show me a count of 10 for each country. How can I get the top count per country?

I saw something about limit=0, but I do not know where to put this???

Tags (2)
0 Karma

Drainy
Champion

mcbradford, I don't follow how your last post links to this. If you want to update your question then you need to click on the edit button on your original question, posting replies as answers only confuses matters 🙂 As below, what part of the results are wrong?

0 Karma

mcbradford
Contributor

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country, count, src_ip | search client_country!="United States" search client_country!=""| stats sum(count) by client_country | sort -sum(count)

mcbradford
Contributor

When I did this I get....

Error in 'top' command: The output count field conflicts with the input field 'count'. Use the 'countfield' option to specify a different name.

my search now is...

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | top count limit=1

but this errors

0 Karma

Drainy
Champion

hmm, see my updated answer

0 Karma

Drainy
Champion
|top 100 src_ip 

Change that to;

|top 100 src_ip limit=1 |

The limit field is part of the top command and can be changed to set how many top results you want to display.

Edit: Actually, you probably need to add to the end of your search;

| top count limit=1 

Edit edit:

Ok, how about;

index=network source="/u01/noc/log/internetCisco.log" denied |top 100 src_ip | lookup geoip clientip as src_ip | fields client_country | search client_country!="United States" search client_country!="" | stats count by client_country | rename count AS cc_count | top cc_count limit=1

I haven't got Splunk running atm so this is just from memory, it may be a conflict between the counts so lets do a rename and top of that

0 Karma

Drainy
Champion

what part of the results are incorrect?

0 Karma

mcbradford
Contributor

no error - but the results are not correct

0 Karma

mcbradford
Contributor

Still does not work.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...