I want to add more columns that will show the sessions. Such as sudo su ssh etc. Currently I have this:
index="name of index" user=*
| chart count by user, action
| sort user
Maybe I need two separate searches? One for action=failure and another for action=success? I'm trying to breakdown what the totals are for success and failures. Specifically I'd like to know when ssh sudo and su are being used.
(This is a general forum for all Splunk data types. It always helps to have input examples/illustrations. For this specific question, it will also help to illustrate how you expect output to look like.)
Assuming your data includes user, action, and session, like
_time | action | session | user |
2021-05-20 19:09:39 | fail | bar | user2 |
2021-05-20 19:09:39 | fail | sudo | user3 |
2021-05-20 19:09:39 | success | sudo | user1 |
2021-05-20 19:09:39 | success | sudo | user1 |
2021-05-20 19:09:39 | success | bar | user3 |
2021-05-20 19:09:39 | success | foo | user3 |
2021-05-20 19:09:39 | fail | bar | user1 |
... |
and you want something like
user | action | count | sessions |
user1 | fail | 2 | sudo |
user1 | success | 4 | bar foo sudo |
user2 | fail | 2 | sudo |
user2 | success | 5 | bar foo sudo |
user3 | fail | 4 | bar foo sudo |
user3 | success | 3 | bar foo sudo |
You can use
| stats count values(session) as sessions by user, action