Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Group data, but keeping data to be grouped.

dreadangel
Path Finder
‎03-28-2019 07:03 AM

Hi all,

I got some data structured next: 

url    user     event
-------------------------------------
Url1, user1, EventType1
Url1, user1, EventType2
Url2, user1, EventType3
Url2, user1, EventType1
Url1, user2, EventType1
Url2, user2, EventType2
Url3, user2, EventType3
...

My goal is to build a statistics table:

    [Url],  [Total events count], [Distinct users count], [Top $x users + count list]
    Url1                       2                       2                     user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url2,                      3,                      1,                    user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url3,                      1,                      1,                    user2 - 1
    -----------------------------------------------------------------------------------

After using stats command in pipeline grouped data isn't available anymore, so is it possible "to add" statistics to the result or should I use multiple subsearches - each acquiting its goal and after joining them?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

DMohn
Motivator
‎03-28-2019 08:12 AM

It might be a bit ugly, but this query gives exactly the result you want...

<your_base_query> | stats count as "Total Events", dc(user) as "Distinct Users" by url | appendcols [<your_base_query> | stats count by url, user | eval user = user." - ".count | stats list(user) as "Users + count" by url]

In case you want a distinct event count an no total count, just swap the first stats count for a stats dc(events)

Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip...

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip upon eventstats - this indeed solves

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...