Solved: How do I group time values together by another fie...

andrewking1116 · ‎06-03-2016

I'm trying to get my table to group events by Source IP. The search counts the number web traffic hits by Source IP and groups them into 1 hour time frame. I want to then have each Source IP as a single event and also show all the hour time spans that that IP was seen.

Current:

Time               Count   IP             
2016-06-02 14:00   3500    1.1.1.1      
2016-06-02 16:00   3000    1.1.1.1      
2016-06-02 15:00   3000    2.2.2.2

What I want:

Time               Count   IP
2016-06-02 14:00   6500 1.1.1.1      
2016-06-02 16:00
2016-06-02 15:00   3000    2.2.2.2

sundareshr · ‎06-03-2016

Try this

... | bin span=1d _time | stats values(_time) as Time sum(count) count by IP | table Time count IP

View solution in original post

sundareshr · ‎06-03-2016

Try this

... | bin span=1d _time | stats values(_time) as Time sum(count) count by IP | table Time count IP

andrewking1116 · ‎06-07-2016

Thank you for your quick response. I thought I had tried that but must have use value instead of values.

ppablo · ‎06-07-2016

HI @andrewking1116

If @sundareshr's answer solved your question, please don't forget to resolve the post by clicking "Accept" directly below his answer. Also give him an upvote for helping you out 🙂

Patrick

How do I group time values together by another field?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!