Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to make stats count result value become filters in search/dashboard

b1211ry
Explorer
‎12-25-2022 02:18 AM

Hi,

I need to call the result value as a filter. like this table below, the second value on column RecipientDomain will call on search as filter. become this query:

index=sec_office365_dlp sourcetype=sec_office365_dlp RecipientDomain=@yahoo.com | stats count by xxx

 

splunk first query.jpg

 

Help please..

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2022 04:56 PM

You need a subsearch.  The subsearch runs first and selects the value the main search will look for.

index=sec_office365_dlp sourcetype=sec_office365_dlp [ index=sec_office365_dlp sourcetype=sec_office365_dlp RecipientDomain IN (@gmail.com @yahoo.com @hotmail.com) 
  | stats count by RecipientDomain
  | sort limit=2 - count
  | tail 1
  | return RecipientDomain ]
| stats count by xxx

The subsearch selects the last (tail 1) result from the two produced by sort, which is the same as the second of three.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2022 07:20 AM

How does Splunk know which RecipientDomain value to use?  Is it always the second?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

b1211ry
Explorer
‎12-25-2022 07:27 AM

Yes @richgalloway , we always use the second one value.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-25-2022 04:56 PM

You need a subsearch.  The subsearch runs first and selects the value the main search will look for.

index=sec_office365_dlp sourcetype=sec_office365_dlp [ index=sec_office365_dlp sourcetype=sec_office365_dlp RecipientDomain IN (@gmail.com @yahoo.com @hotmail.com) 
  | stats count by RecipientDomain
  | sort limit=2 - count
  | tail 1
  | return RecipientDomain ]
| stats count by xxx

The subsearch selects the last (tail 1) result from the two produced by sort, which is the same as the second of three.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

b1211ry
Explorer
‎12-29-2022 12:38 AM

Thanks for your help @richgalloway .  It works!!👍

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...