Solved: How to build search for associate event code of a ...

debjit_k · ‎10-17-2022

Hi

Hope you are doing good..

I want to build one query where I will get user with associate event code or IP for example

If I use stats count by user, event code

I will get

User event code

Abc 1

Abc 2

But I want output like

User event code

Abc 1, 2

I.e. User name should not get repeat for different event code

Can you please guide me here

Thanks

gcusello · ‎10-17-2022

you should use values in your stats command, something like this:

<your_search>
| stats values(EventCode) AS EventCode values(ip) AS ip BY user

Ciao.

Giuseppe

debjit_k · ‎10-19-2022

thank you for the support I actually use list function.

Thanks

gcusello · ‎10-19-2022

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎10-17-2022

you should use values in your stats command, something like this:

<your_search>
| stats values(EventCode) AS EventCode values(ip) AS ip BY user

Ciao.

Giuseppe

How to build search for associate event code of a user?