Solved: Grouping results in a table by IP address

stakor · ‎04-01-2017

I know I have bumped into this in the past, but I can think of a good keyword to do a search on...

I have a search that produces a list of IPs, most have multiple content categories associated with them. I want to create a table, where each IP is listed once, and all the content categories that are associated with that IP are listed with that IP. For example:

1.1.1.1 test1
1.1.1.1 test2
1.1.1.1 test3
1.1.1.2 test1

Would go into a table like:

1.1.1.1 test1
        test2
        test3

1.1.1.2 test1

I know that there is a way to cluster the results around the IP address. I just can't think of the right term to google. Anyone know what I should be searching for?

starcher · ‎04-01-2017

You can do | stats values(field) as field by ip

View solution in original post

jstoner_splunk · ‎04-01-2017

I believe you are looking for something like this:

* |stats values(dest) by src

Do your search to get the data reduced to what you want and then do a stats command by the name of the field in the first column, but then do a values around the second column to get all the test1, test2, test3 values.

starcher · ‎04-01-2017

You can do | stats values(field) as field by ip

Grouping results in a table by IP address

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases