Re: What would be the right approach to rerurn res...

dannyze · ‎03-11-2020

For example

  index=active_directory |  eventstats count by useraccount | search count=1

The above returning events for a unique field value of useraccount. What I am looking for is events with a unique user account grouped with several of another field value. Have tried transaction command to no avail.

Pointing in the right direction is greatly appreciated.

xavierashe · ‎03-13-2020

index=active_directory | stats values(process_name) count by user

to4kawa · ‎03-12-2020

grouped with several of another field value.
What's the fields?

dannyze · ‎03-12-2020

Field of process_name
So one useraccount with many processes accessed , process_name being many different values

xavierashe · ‎03-12-2020

Is this closer to what you are looking for?

index=active_directory | stats values(process_name) by user

dannyze · ‎03-12-2020

Yes this works!
I just added a count

| stats count values(process_name) by user

xavierashe · ‎03-13-2020

Great, I'll post it as an answer so you can accept it.

dannyze · ‎03-13-2020

After testing it out, it is returning on a single process_name value given the threshold.
So instead of returning results where one user is seen with many process_name values it groups a user with any process_name value

Hopefully this came across clearly
Thank you

xavierashe · ‎03-11-2020

something like this?

index=active_directory | stats distinct_count(user) as distinct_count by host | where distinct_count=1

What would be the right approach to rerurn results when a unique field value is seen with several if another field value?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio