Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Count of values by sourcetype
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Count of values by sourcetype
mpuckettsc
Explorer
04-27-2017
10:31 AM
This should be pretty simple, but I seem to lack the right terms to find my answer:
We have several source types with a field "user". All I would like to return is a table where users are the rows, sourcetypes are the columns and the values are the number of events a user appears in that source type.
So if it were a CSV, it'd look like
user,firewall-logs,linux-logs,windows-logs
bob,4,2,4
nancy,8,1,3
eve,0,4,2
A totals column at the end would be great, but I can live with out it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mpuckettsc
Explorer
04-27-2017
10:45 AM
I found what I was looking for,
(search) | chart count over user by sourcetype
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
04-27-2017
10:47 AM
| addtotals
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-27-2017
11:56 AM
@mpuckettsc... Please accept DalJeanis answer as that is the complete answer you were looking for, addtotals will add Total of numeric fields as final column.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-27-2017
10:44 AM
Please try the following:
<Your Base Search>
| chart count over user by sourcetype
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
04-27-2017
10:43 AM
| makeresults
| eval mydata="Bob,firewall-logs,4 Bob,linux-logs,2 Bob,windows-logs,4 Nancy,firewall-logs,8 Nancy,linux-logs,1 Nancy,windows-logs,3 Eve,linux-logs,4 Eve,windows-logs,2"
| makemv mydata
| mvexpand mydata
| rex field=mydata "(?[^,]+),(?[^,]+),(?.+)"
| table user sourcetype thecount
| rename COMMENT as "The above just produces test data as if you had done |stats count as thecount by user sourcetype"
| chart sum(thecount) as count over user by sourcetype
| addtotals
Get Updates on the Splunk Community!
Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...
If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...
Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions
Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
