Have a basic report being built and I am having troubles with counts/dedup so to say. Below is my current output. What I would like are 1 of the 2 outputs further below, either with a count and the other fields can be overwritten with whatever the last found value was, or extra special if I could concat the values like at the very bottom. Any ideas?
source="Firewall" | table source dest blah1 blah2
source dest blah1 blah2
10.1.1.1 1.2.3.4 A B
10.1.1.1 1.2.3.4 B B
10.1.1.2 1.2.3.4 A B
Attempted searches
source="Firewall" | stats count by source dest blah1 blah2 count
source="Firewall" | stats count by source | table source dest blah1 blah2 count
source="Firewall" | stats count by source | join ?????? various types tried
Output needed
source dest blah1 blah2 count
10.1.1.1 1.2.3.4 A B 2
10.1.1.2 1.2.3.4 A B 1
Or preferred
source dest blah1 blah2 count
10.1.1.1 1.2.3.4 A,B B,B 2
10.1.1.2 1.2.3.4 A B 1
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions so
... | stats latest(blah1) as blah1, latest(blah2) as blah2, count by src,dest
or
... | stats values(blah1) as blah1, values(blah2) as blah2, count by src,dest
or
... | stats list(blah1) as blah1, list(blah2) as blah2, count by src,dest
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions so
... | stats latest(blah1) as blah1, latest(blah2) as blah2, count by src,dest
or
... | stats values(blah1) as blah1, values(blah2) as blah2, count by src,dest
or
... | stats list(blah1) as blah1, list(blah2) as blah2, count by src,dest