Splunk Search

How can I create a search with the stats command which breaks up results into separate rows?

showard22
New Member

Trying to create a query that would search two different network logs (firewall and proxy) and return results. The results would be displayed with a count by URL. The issue I'm having is that it's returning all the results in one row when I want individual URLs in each of their own individual rows with their corresponding fields including first and last time to that URL.

So the count is pulling ALL URLs rather than each individual one. It's definitely something with the stats command but I can't seem to tweak it to make it work.

Any ideas?

(index=firewall OR index=proxy) (sourcetype=fwlog OR sourcetype=proxylog) (dest=* OR DestinationIP=*) (src=8.8.8.8 OR SourceIP=8.8.8.8) (url="*" OR URL="*")
| eval url = coalesce(url,URL) 
| eval action = coalesce(action,Action) 
| eval src = coalesce(src,SourceIP)
| eval dest = coalesce(dest,DestinationIP)
| stats values(url) AS URLs count earliest(_time) AS First latest(_time) AS Last by src dest action 
| fields src dest action URLs count First Last
| convert timeformat="%Y-%m-%d %T" ctime(First) ctime(Last)
0 Karma

Vijeta
Influencer

try using the below stats commad-

stats values(src) as src, values(dest) as dest, values(action) as action earliest(_time) as First, latest(_time) as Last by url

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...