combining the results into one field

mcbradford · ‎10-07-2011

My results are like...

src_ip           src_geo      count
55.89.12.11      US           25

I want the result to be like...

src_ip and src geo             count
55.89.12.11 - US               25

I want this so I can create a chart that shows the src_ip associated with a country and the count.

the src_ip and src_geo - I want this to be a new field

mcbradford · ‎10-07-2011

I figured it out..

direction="external" sourcetype="sidewinder" action=blocked src_geo="US" OR src_geo="CA" | eval src_ip_and_src_geo=src_ip." - ".src_geo | top src_ip_and_src_geo showperc=f

Ayn · ‎10-07-2011

Use eval to concatenate the field values together into a new field:

<yourbasesearch> | eval src_ip_and_src_geo=src_ip." - ".src_geo | stats count by src_ip_and_src_geo

mcbradford · ‎10-07-2011

When I did this - my count was 1 for each, so I made a few changes..

direction="external" sourcetype="sidewinder" action=blocked src_geo="US" OR src_geo="CA" | top src_ip, src_geo showperc=f | eval src_ip_and_src_geo=src_ip." - ".src_geo | fields - src_ip fields - src_geo

This looks like I want it to, but it will not chart?

combining the results into one field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases