Solved: Search with 3 fields and count

manwin · ‎09-21-2010

I'm trying to create a table which shows the following: -

Domain Client_IP Client_User Count

www.google.com 192.168.1.100 manwin 5

www.spurs-sg.org 192.168.1.101 User2 10

I can get a table showing me

Domain Client_IP Count

by doing the following search

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP

but I can't find a way to add in the user.

ftk · ‎09-21-2010

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

View solution in original post

ftk · ‎09-21-2010

You can do

sourcetype="bcoat_proxysg" |top limit=100 Domain by Client_IP, Client_User

More info on top: http://www.splunk.com/base/Documentation/latest/SearchReference/Top

manwin · ‎09-21-2010

Thanks I've given it a tick. Thanks for your response.

ftk · ‎09-21-2010

Feel free to accept usable answers -- helps close out the question and makes the site more usable for new users especially. Thanks!

manwin · ‎09-21-2010

Thanks, I just tested with my sample data and it worked.......
Interestingly when I was testing the exact same command at my customer's location it did not give me any results.

Search with 3 fields and count

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life