How to count Stats by two Fields in one search

hyleung · ‎07-09-2019

I have tired the following commands to retrieve the results, but it fails.

|from datamodel:"Authentication"."Failed _Authentication" | stats values(user) count by (action=failure), src | sort -count

or

|from datamodel:"Authentication"."Failed _Authentication" | stats values(user) values(src) count by (action=failure) | sort -count

And I want to achieve the following results.

+-------+--------+-------+
| User | src | count |
+-------+--------+-------+
| Mary | IT1001 | 10 |
+-------+--------+-------+
| Mary | IT1002 | 6 |
+-------+--------+-------+
| Peter | IT2002 | 9 |
+-------+--------+-------+
| Alan | IT3003 | 8 |
+-------+--------+-------+

Please help me. Thanks.

tiagofbmm · ‎07-10-2019

 |from datamodel:"Authentication"."Failed _Authentication" | where Authentication.action="failure" | stats values(src), count by user   | sort -count

renjith_nair · ‎07-10-2019

@hyleung,

|from datamodel:"Authentication"."Failed _Authentication"|stats count by user,src

---
What goes around comes around. If it helps, hit it with Karma 🙂

How to count Stats by two Fields in one search

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to count Stats by two Fields in one search

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!