Counting number of occurrences for each value in a...

Thuan · ‎05-06-2014

This is related to my DNS index. I need to search all names that start with wpad and to list all the values found.
I did this using the command

"index=dns* quest_name="wpad* | stats values(quest_name) AS WPAD

An excerpt of the results is shown below

wpad.NGIT.Northgrum.com
wpad.NGMS.Northgrum.com
wpad.Northgrum.com
....

What I need is to compute the number of times each of the preceding values, say "wpad.NGIT.Northgrum.com", appears in the search. Can it be done using a single search? Thank you.

Thuan · ‎05-06-2014

Having a count for each one of the quest_name values is the 1st step. I now need to compute the percentage of each of the computed quest_name count against the total count of all quest_name.
I can try
index=dns quest_name=wpad* | stats count(quest_name) AS Total count by quest_name AS WPAD
But this does not work.
How can these computations be done with one single search?
Thank you.

somesoni2 · ‎05-06-2014

What should be the expected output?

lguinn2 · ‎05-06-2014

You could easily do this

index=dns quest_name=wpad* | stats count by quest_name | rename quest_name as WPAD

Counting number of occurrences for each value in a multi-valued field

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...