Developing for Splunk Enterprise

What would be the right approach to rerurn results when a unique field value is seen with several if another field value?

dannyze
Explorer

For example

  index=active_directory |  eventstats count by useraccount | search count=1

The above returning events for a unique field value of useraccount. What I am looking for is events with a unique user account grouped with several of another field value. Have tried transaction command to no avail.

Pointing in the right direction is greatly appreciated.

Tags (1)
0 Karma

xavierashe
Contributor
index=active_directory | stats values(process_name) count by user
0 Karma

to4kawa
Ultra Champion

grouped with several of another field value.
What's the fields?

0 Karma

dannyze
Explorer

Field of process_name
So one useraccount with many processes accessed , process_name being many different values

0 Karma

xavierashe
Contributor

Is this closer to what you are looking for?

index=active_directory | stats values(process_name) by user

dannyze
Explorer

Yes this works!
I just added a count

| stats count values(process_name) by user
0 Karma

xavierashe
Contributor

Great, I'll post it as an answer so you can accept it.

0 Karma

dannyze
Explorer

After testing it out, it is returning on a single process_name value given the threshold.
So instead of returning results where one user is seen with many process_name values it groups a user with any process_name value

Hopefully this came across clearly
Thank you

0 Karma

xavierashe
Contributor

something like this?

index=active_directory | stats distinct_count(user) as distinct_count by host | where distinct_count=1
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!