topic Add a new count field to a table in Splunk Search

Add a new count field to a table

bowesmana — Wed, 16 Oct 2013 04:48:26 GMT

I have a log file of logins to a system by username. I can product a report of the logins by time

host="daily" | table Username, "First Name", "Last Name", Company, Time | sort Username

but I also want to add a total of logins per Username, but I can't figure out how. Other options for the report would be to show a list of login times per username, including fist/last name, company and then a total for that user.

Re: Add a new count field to a table

Ayn — Wed, 16 Oct 2013 06:30:35 GMT

You'll want to use stats.

host="daily" | stats count by Username,"First Name","Last Name",Company,Time | sort Username

Stats supports calculating all kinds of other statistics too (as you would guess from the command name), see: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonStatsFunctions

Re: Add a new count field to a table

bowesmana — Wed, 16 Oct 2013 07:10:44 GMT

That's great, but is there any way I can exclude Time from the difference counter, as I want per user, but I still want to show the time in the report.

Re: Add a new count field to a table

yannK — Wed, 16 Oct 2013 16:44:59 GMT

What time you want, the first, the last, all of them ?
Here are they all,
( first means the earliest, last, the oldest. )

host="daily" | stats count values(Time) AS "all logins" first(Time) AS "most recent" last(Time) 'oldest" by Username,"First Name","Last Name",Company| sort Username