Pivot search

ALLIACOM · ‎02-19-2018

hello ,
someone can help me to translate this pivot command in search command

| pivot proofpoint proofpoint_search count(proofpoint_search) AS "count(proofpoint_search)" SPLITROW s_domaine SPLITROW ip_sender AS ip SPLITROW action AS action SORT 1000000 s_domaine ROWSUMMARY 0 COLSUMMARY 0 NUMCOLS 0 SHOWOTHER 1|table s_domaine ip action|search s_domaine!="NULL" s_domaine="$doamine$" ip!="NULL" ip="$ip$" action!="NULL" $status$|stats values(ip) as IPs values(action) as action count by s_domaine|rename s_domaine AS "Sender Domaine" |sort - count.

thank you in advance

p_gurav · ‎03-17-2018

Hi,

You can try :

    ..| stats count(proofpoint_search) AS "count(proofpoint_search)" by s_domain, ip_sender,action | sort s_domain | rename ip_sender AS ip | 
    table s_domain ip action|search s_domain!="NULL" s_domain="$doamin$" ip!="NULL" ip="$ip$" action!="NULL" $status$|stats values(ip) as IPs values(action) as action count by s_domain|rename s_domain AS "Sender Domain" |sort - count.

deepashri_123 · ‎02-19-2018

hey alliacom,

Try this,

.... | stats values(proofpoint) AS proofpoint values(proofpoint_search) AS proofpoint_search count(proofpoint_search) AS "count(proofpoint_search)" by s_domaine,ip_sender,action | rename ip_sender AS ip | table s_domaine ip action|search s_domaine!="NULL" s_domaine="$doamine$" ip!="NULL" ip="$ip$" action!="NULL" $status$|stats values(ip) as IPs values(action) as action count by s_domaine|rename s_domaine AS "Sender Domaine" |sort - count.

Pivot search

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio