topic How to get the correct count records instead of counting the field name twice? in Splunk Search

How to get the correct count records instead of counting the field name twice?

ksbuchanan — Sat, 03 Feb 2018 17:00:57 GMT

Here is my search:

source="WinEventLog:Security" EventCode="4723" OR EventCode="529" | eval UserName=coalesce(User_Name,Account_Name) | stats count by UserName |sort -count |head 10

The problem is that the field "Account_Name" appears more than once in the record, so the count is effectively doubled. How can I get the correct count of the records instead of counting the field name twice?

Re: How to get the correct count records instead of counting the field name twice?

micahkemp — Sat, 03 Feb 2018 23:09:06 GMT

In your coalesce you can use mvindex to grab just the first occurrence of Account_Name:

| eval UserName=coalesce(User_Name,mvindex(Account_Name, 0))

Re: How to get the correct count records instead of counting the field name twice?

ksbuchanan — Tue, 29 Sep 2020 17:53:54 GMT

host="rh-dc*" EventCode=4723
| eval UserName=coalesce(User_Name,mvindex(Account_Name, 0))
| stats count(Account_Name) by Account_Name
| sort -count(Account_Name)

This yields this result:
Account_Name count(Account_Name)
KINKI 12
ROSCO 8
ADAAN 4

The problem, is that there are only 3 actual records for the Account_Name: KINKI

why is it multiplying the results? Granted, the record has 2 fields that are called "Account_Name" which contain "KINKI"

I appreciate your help...but I am confused about how to get it to count the "just the first "occurrence" of the "Account_Name" field.

Thank you!!

Re: How to get the correct count records instead of counting the field name twice?

micahkemp — Sun, 04 Feb 2018 04:33:07 GMT

count(Account_Name) BY Account_Name will count the number of values seen in the Account_Name field, not the number of events where that Account_Name was seen.

To get the event count per Account_Name, use stats count BY Account_Name‘. Notice the lack of()` in this example.

Also, you caolesced to User_Name, but counted by Account_Name. I can’t imagine this is actually what you wanted.

Re: How to get the correct count records instead of counting the field name twice?

ksbuchanan — Sun, 04 Feb 2018 13:17:41 GMT

micahkemp: I tried you solution, but the resulting count is 6, but the number of records is 3.

The Windows event log uses the Account_Name field twice in the record, and the search statement is counting each one of the field occurrences. So, all the counts are doubled.

Re: How to get the correct count records instead of counting the field name twice?

ksbuchanan — Sun, 04 Feb 2018 16:19:12 GMT

i found a solution i am doing a distinct count on the record number, and that returns the correct number of records

host="rh-dc*" EventCode=4723
| stats dc(RecordNumber) by Account_Name
| sort -count

Re: How to get the correct count records instead of counting the field name twice?

ksbuchanan — Sun, 04 Feb 2018 16:21:47 GMT

i found a solution. i am doing a distinct count on the record number, and that returns the correct number of records

host="rh-dc*" EventCode=4723
| stats dc(RecordNumber) by Account_Name
| sort -count

Re: How to get the correct count records instead of counting the field name twice?

micahkemp — Sun, 04 Feb 2018 16:30:20 GMT

Excellent. You my consider converting your comment to an answer and accepting it so that this question no longer appears open and others have an easier time finding the correct answer.

Re: How to get the correct count records instead of counting the field name twice?

richgalloway — Sun, 04 Feb 2018 19:17:32 GMT

@ksbuchanan If your problem is resolved, please accept an answer to help future readers.

Re: How to get the correct count records instead of counting the field name twice?

ksbuchanan — Tue, 13 Feb 2018 06:14:49 GMT

I downvoted this post because this solution didn't work. i tried it and it gave the same answer (which was 2x the number of actual records).

Re: How to get the correct count records instead of counting the field name twice?

Richfez — Tue, 13 Feb 2018 17:30:14 GMT

@ksbuchanon,

Thank you for participating in Answers! Having users that ask questions and help answer them are what makes our community so great!

We here in Answers often deal with very complex, vague questions over data and problems that aren't well defined. These often require multiple layers of comments and attempts to find a "best" answer for the questioner's problem. We really think this is one of the things that sets this community apart from others - our inclusion of all people who are trying to help and the effort we will often put toward finding you the answer you need.

So, In order to encourage as much participation as possible we prefer to:
Accept the "most right" answer if it solved your problem,
Liberally upvote comments or other answers that were helpful.

In that same spirit, we reserve downvoting an answer for only if it's possibly harmful to a users system, and not if it just didn't quite answer your problem as well as it could have.

Many thanks, and Happy Splunking!
-Rich

Re: How to get the correct count records instead of counting the field name twice?

ppablo — Tue, 13 Feb 2018 17:32:22 GMT

Hi @ksbuchanan

Glad you found a solution to your question 🙂 Just fyi for this Splunk community forum, please reserve downvotes for suggestions that could be harmful in a Splunk environment or is against known best practices. If you have feedback on someone's post, just commenting on it will be more constructive instead of making people lose karma points who was just trying to help out. For the solution(s) that do work, upvote those so they make it up to the top of the list for visibility.

Thanks!