Splunk query <my search_criteria> | stats count by Proxy, API, VERB, ClientApp preparing the below table.
| Proxy | API | VERB | ClientApp | count |
|---|---|---|---|---|
| CUSTOMER_OFFICE_CLIENTS | clients/{clientId} | GET | co_web | 5 |
| CUSTOMER_OFFICE_CLIENTS | clients/{clientId} | GET | co_mobile | 6 |
| CUSTOMER_OFFICE_CLIENTS | clients/{clientId} | GET | co_tab | 4 |
| CUSTOMER_OFFICE_CLIENTS | clients | POST | co_web | 57 |
| CUSTOMER_OFFICE_CLIENTS | clients | POST | co_mobile | 34 |
| CUSTOMER_OFFICE_CLIENTS | clients | POST | co_tab | 50 |
Is there a way to group by Proxy, API, VERB and collect ClientApp values as comma separated list as follows with splunk query?
| Proxy | API | VERB | ClientApp | count |
|---|---|---|---|---|
| CUSTOMER_OFFICE_CLIENTS | clients/{clientId} | GET | co_web, co_mobile, co_tab | 15 |
| CUSTOMER_OFFICE_CLIENTS | clients | POST | co_web, co_mobile, co_tab | 141 |
You could use values() to return all of the unique ClientApp values in each row.
| stats values(ClientApp) count by Proxy, API, VERB
and to get the ClientApp values in a comma-separated list, use the mvjoin function.
| stats values(ClientApp) as ClientApp count by Proxy, API, VERB
| eval ClientApp = mvjoin(ClientApp, ",")