How to count Stats by two Fields in one search

hyleung · ‎07-09-2019

I have tired the following commands to retrieve the results, but it fails.

|from datamodel:"Authentication"."Failed _Authentication" | stats values(user) count by (action=failure), src | sort -count

or

|from datamodel:"Authentication"."Failed _Authentication" | stats values(user) values(src) count by (action=failure) | sort -count

And I want to achieve the following results.

+-------+--------+-------+
| User | src | count |
+-------+--------+-------+
| Mary | IT1001 | 10 |
+-------+--------+-------+
| Mary | IT1002 | 6 |
+-------+--------+-------+
| Peter | IT2002 | 9 |
+-------+--------+-------+
| Alan | IT3003 | 8 |
+-------+--------+-------+

Please help me. Thanks.

tiagofbmm · ‎07-10-2019

 |from datamodel:"Authentication"."Failed _Authentication" | where Authentication.action="failure" | stats values(src), count by user   | sort -count

renjith_nair · ‎07-10-2019

@hyleung,

|from datamodel:"Authentication"."Failed _Authentication"|stats count by user,src

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to count Stats by two Fields in one search

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

How to count Stats by two Fields in one search

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...