Splunk Search

How can I chart pairs of values within the same field

Path Finder

I have entries in my log which can have the same username but can have multiple machine_types. For example, user "jack" only uses Windows while user "jim" uses Windows and Linux. I want to know how many people use only Windows, how many use Windows+Linux, how many use Windows+Mac, Linux+Mac, etc.

My current query looks like this:

sourcetype="usermachines" | dedup username,machine_type | eval pairs=machine_type+"-"+machine_type | chart count by pairs

However, the pairs look like this:

  • Windows-Windows
  • Mac-Mac
  • Linux-Linux

Am I taking the right approach? If so, how can I use machine_type twice and ask Splunk to read them as separate fields (as if multiplying rows to get two dimensions)?

Tags (1)
0 Karma
1 Solution

Influencer

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username

View solution in original post

Influencer

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username

View solution in original post