Splunk Enterprise Security

How to count Stats by two Fields in one search

New Member

I have tired the following commands to retrieve the results, but it fails.

|from datamodel:"Authentication"."Failed _Authentication" | stats values(user) count by (action=failure), src | sort -count

or

|from datamodel:"Authentication"."Failed _Authentication" | stats values(user) values(src) count by (action=failure) | sort -count

And I want to achieve the following results.

+-------+--------+-------+
| User | src | count |
+-------+--------+-------+
| Mary | IT1001 | 10 |
+-------+--------+-------+
| Mary | IT1002 | 6 |
+-------+--------+-------+
| Peter | IT2002 | 9 |
+-------+--------+-------+
| Alan | IT3003 | 8 |
+-------+--------+-------+

Please help me. Thanks.

0 Karma

Influencer
 |from datamodel:"Authentication"."Failed _Authentication" | where Authentication.action="failure" | stats values(src), count by user   | sort -count
0 Karma

SplunkTrust
SplunkTrust

@hyleung,

|from datamodel:"Authentication"."Failed _Authentication"|stats count by user,src
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!