https://community.splunk.com/t5/Splunk-Search/How-to-display-SPL-to-chart-events/m-p/590743#M205671 <P>I have a search I can compose using multiple appends and sub-searches to accomplish, but I assume there's an easier way I'm just not seeing, and hoping someone can help. (maybe using | chart?)</P> <P>Essentially, I have a set of user login data... username and login_event (successful, failed, account locked, etc...).</P> <P>I'd like to display a chart showing total events (by login_event) and distinctive count by username, which might look like below:<BR /><BR /></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="25px">login_event</TD> <TD width="50%" height="25px">count</TD> </TR> <TR> <TD width="50%" height="25px">successful</TD> <TD width="50%" height="25px">1600</TD> </TR> <TR> <TD width="50%" height="21px">failed</TD> <TD width="50%" height="21px">200</TD> </TR> <TR> <TD width="50%" height="25px">account locked</TD> <TD width="50%" height="25px">10</TD> </TR> <TR> <TD width="50%" height="25px">successful (distinct usernames)</TD> <TD width="50%" height="25px">1200</TD> </TR> <TR> <TD width="50%" height="25px">failed&nbsp;(distinct usernames)</TD> <TD width="50%" height="25px">50</TD> </TR> <TR> <TD width="50%" height="25px">account locked&nbsp;(distinct usernames)</TD> <TD width="50%" height="25px">9</TD> </TR> </TBODY> </TABLE> Fri, 25 Mar 2022 20:58:10 GMT adamsmith47 2022-03-25T20:58:10Z https://community.splunk.com/t5/Splunk-Search/How-to-display-SPL-to-chart-events/m-p/590743#M205671 <P>I have a search I can compose using multiple appends and sub-searches to accomplish, but I assume there's an easier way I'm just not seeing, and hoping someone can help. (maybe using | chart?)</P> <P>Essentially, I have a set of user login data... username and login_event (successful, failed, account locked, etc...).</P> <P>I'd like to display a chart showing total events (by login_event) and distinctive count by username, which might look like below:<BR /><BR /></P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" height="25px">login_event</TD> <TD width="50%" height="25px">count</TD> </TR> <TR> <TD width="50%" height="25px">successful</TD> <TD width="50%" height="25px">1600</TD> </TR> <TR> <TD width="50%" height="21px">failed</TD> <TD width="50%" height="21px">200</TD> </TR> <TR> <TD width="50%" height="25px">account locked</TD> <TD width="50%" height="25px">10</TD> </TR> <TR> <TD width="50%" height="25px">successful (distinct usernames)</TD> <TD width="50%" height="25px">1200</TD> </TR> <TR> <TD width="50%" height="25px">failed&nbsp;(distinct usernames)</TD> <TD width="50%" height="25px">50</TD> </TR> <TR> <TD width="50%" height="25px">account locked&nbsp;(distinct usernames)</TD> <TD width="50%" height="25px">9</TD> </TR> </TBODY> </TABLE> Fri, 25 Mar 2022 20:58:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-SPL-to-chart-events/m-p/590743#M205671 adamsmith47 2022-03-25T20:58:10Z https://community.splunk.com/t5/Splunk-Search/How-to-display-SPL-to-chart-events/m-p/590754#M205673 <P>Ok, let's analyze what you want to get from your search.</P><P>You have three different types of login_event and you want to count occurrences of each of them as well as distinct values of username field associated with each of those types of events.</P><P>So the first part is what kind of summary you want to get</P><PRE>&lt;your search&gt; | stats count dc(username)</PRE><P>You want count of events as well as count of distinct values of username field.</P><P>Now you need to tell splunk how to split the values. You want separate stats for each value of the login_event field. So you add</P><PRE>by login_event</PRE><P>And you're pretty much home - you should get all the information you need.</P><P>If you don't like the layout (you should get 3x2 table) you can try to use untable. But that's another story.</P> Thu, 24 Mar 2022 20:14:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-SPL-to-chart-events/m-p/590754#M205673 PickleRick 2022-03-24T20:14:56Z