Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I chart pairs of values within the same field

HXCaine
Path Finder
‎08-31-2012 10:35 AM

I have entries in my log which can have the same username but can have multiple machine_types. For example, user "jack" only uses Windows while user "jim" uses Windows and Linux. I want to know how many people use only Windows, how many use Windows+Linux, how many use Windows+Mac, Linux+Mac, etc.

My current query looks like this:

sourcetype="usermachines" | dedup username,machine_type | eval pairs=machine_type+"-"+machine_type | chart count by pairs

However, the pairs look like this:

  • Windows-Windows
  • Mac-Mac
  • Linux-Linux

Am I taking the right approach? If so, how can I use machine_type twice and ask Splunk to read them as separate fields (as if multiplying rows to get two dimensions)?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jonuwz
Influencer
‎08-31-2012 12:23 PM

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username

View solution in original post

Reply
Solved! Jump to solution
Solution

jonuwz
Influencer
‎08-31-2012 12:23 PM

What you're doing just removes duplicates where machine_type and username are the same.
So when you do machine_type+"-"+machine_type its concatenating 'machine_type' with itself (in the same event)

You probably want to do something like

sourcetype="usermachines" | stats values(machine_type) as machine_types by username | eval machine_types_by_user=mvjoin(machine_types,"-") | table username machine_types_by_user

This groups all the different values of machine_type for the users.

It then takes the multivalue field 'machine_types' and flattens it by joining the values with a '-'

This might be all you need though :

sourcetype="usermachines" | stats values(machine_type) as machine_types by username
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...