Breakdown the Totals

kbohlken · ‎05-20-2021

I want to add more columns that will show the sessions. Such as sudo su ssh etc. Currently I have this:

index="name of index" user=*
| chart count by user, action
| sort user

Maybe I need two separate searches? One for action=failure and another for action=success? I'm trying to breakdown what the totals are for success and failures. Specifically I'd like to know when ssh sudo and su are being used.

yuanliu · ‎05-20-2021

(This is a general forum for all Splunk data types. It always helps to have input examples/illustrations. For this specific question, it will also help to illustrate how you expect output to look like.)

Assuming your data includes user, action, and session, like

_time	action	session	user
2021-05-20 19:09:39	fail	bar	user2
2021-05-20 19:09:39	fail	sudo	user3
2021-05-20 19:09:39	success	sudo	user1
2021-05-20 19:09:39	success	sudo	user1
2021-05-20 19:09:39	success	bar	user3
2021-05-20 19:09:39	success	foo	user3
2021-05-20 19:09:39	fail	bar	user1
...

and you want something like

user	action	count	sessions
user1	fail	2	sudo
user1	success	4	bar foo sudo
user2	fail	2	sudo
user2	success	5	bar foo sudo
user3	fail	4	bar foo sudo
user3	success	3	bar foo sudo

You can use

| stats count values(session) as sessions by user, action

Breakdown the Totals

chart

table

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!