![]() I suppose I could delete the "user" column from the final output. Index= sourcetype= event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" values(user) as User by user|sort -CountĪnd that created two columns with the same data (user and User). For example, if you have field A, you cannot rename A as B, A as C. KIran331s answer is correct, just use the rename command after the stats command runs. At one point the search manual says you CANT use a group by field as one of the stats fields, and gives an example of creating a second field with eval in order to make that work. You cannot rename one field with multiple names. Im surprised that splunk let you do that last one. For example, you cannot specify stats count BY source. If a BY clause is used, one row is returned for each distinct value. If the stats command is used without a BY clause, only one row is returned, which is the aggregation over the entire incoming result set. I've tried some other things as well and no luck. The stats command does not support wildcard characters in field values in BY clauses. Calculates aggregate statistics, such as average, count, and sum, over the results set. Index= sourcetype= event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" values(user) as User by User|sort -CountĮrror in 'stats' command: The output field 'User' cannot have the same name as a group-by field. If it's the former, are you looking to do this over time, i.e. I'm particular and like my words/heading capitalized. Are you looking to calculate the average from daily counts, or from the sum of 7 days worth This is the confusing part. I want to rename the user column to "User". ![]() fields command, keeps fields which you specify, in the output. ![]() which retains the format of the count by domain per source IP and only shows the top 10. ![]() stats list (domain) as Domain, list (count) as count, sum (count) as total by srcip. top command, can be used to display the most common values of a field, along with their count and percentage. My query now looks like this: indexindexname. I am trying to get the count of different fields and put them in a single table with sorted count. Index= sourcetype= event=login_fail|stats count as Count values(event) as Event values(ip) as "IP Address" by user|sort -Count Give this a try yourbasesearch top limit0 fielda fields fielda count. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |