Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Group data, but keeping data to be grouped.

dreadangel
Path Finder
‎03-28-2019 07:03 AM

Hi all,

I got some data structured next: 

url    user     event
-------------------------------------
Url1, user1, EventType1
Url1, user1, EventType2
Url2, user1, EventType3
Url2, user1, EventType1
Url1, user2, EventType1
Url2, user2, EventType2
Url3, user2, EventType3
...

My goal is to build a statistics table:

    [Url],  [Total events count], [Distinct users count], [Top $x users + count list]
    Url1                       2                       2                     user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url2,                      3,                      1,                    user1 - 1
                                                                             user2 - 1
    -----------------------------------------------------------------------------------
    Url3,                      1,                      1,                    user2 - 1
    -----------------------------------------------------------------------------------

After using stats command in pipeline grouped data isn't available anymore, so is it possible "to add" statistics to the result or should I use multiple subsearches - each acquiting its goal and after joining them?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution

DMohn
Motivator
‎03-28-2019 08:12 AM

It might be a bit ugly, but this query gives exactly the result you want...

<your_base_query> | stats count as "Total Events", dc(user) as "Distinct Users" by url | appendcols [<your_base_query> | stats count by url, user | eval user = user." - ".count | stats list(user) as "Users + count" by url]

In case you want a distinct event count an no total count, just swap the first stats count for a stats dc(events)

Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip...

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎03-28-2019 07:53 AM

@dreadangel ,

Try

"base search"|stats dc(event) as "Event Count" , dc(user) as Distinct_Users, values(user) as Users by Url

If you need further stats by keeping this data , use eventstats . For eg. |eventstats count as "Total_URL_Count"

---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

dreadangel
Path Finder
‎03-29-2019 03:44 AM

Thank you for the tip upon eventstats - this indeed solves

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...