Creating a report

jmathew7 · ‎06-12-2013

I am a new Splunk user and my knowledge is pretty limited. I am trying to create a report which looks like this

Country  UserGroup  UserName  DaysUsed  
  US         A        JM         5    
             B        AM         9
  CA         A        BH         2
             B        DK         10

Second Blank Country column means it belongs to US and so on. DaysUsed is a calculated field for each user. DaysUsed is sum of all days with Quality > 90

The data looks like this

Date         Country   UserGroup   UserName  Quality  
2013/06/10     US          A          JM       80
2013/06/10     US          A          AM       91
2013/06/10     US          B          BH       91

I have following queries

Calculates DaysUsed for each UserName

<search> | eval foo = if(Quality>90, 1, 0) | stats sum(foo) as DaysUsed by Date (for each user ??)

I need to get sum of days with quality > 90 for each user, this query does not do whats intended
How can I do it for each user

Next step, Then how can I group all this by Country

Any pointers how I should approach this query, thanks in Advance.

somesoni2 · ‎12-12-2014

Try this

your base search  | eval foo = if(Quality>90, 1, 0) | stats sum(foo) as DaysUsed by Country  UserGroup  UserName | stats list(*) as * by Country

ngatchasandra · ‎12-12-2014

Try with this request:

<search>|stats count  by user Country| rename count as DaysUsed | where Quality>90  | table  Country username Quality DaysUsed

Creating a report

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life