Solved: How do you group by field in the stats table?

richardphung · ‎12-13-2018

I am attempting to get the top values from a datamodel and output a table.

The query that I am using:

| from datamodel:"Authentication"."Failed_Authentication" 
| search app!=myapp 
| top limit=20 user app sourcetype 
| table user app sourcetype count

This gets me the data that I am looking for.. however, if a user fails to authenticate to multiple applications, for example: win:remote & win:auth, they will have two entries in the table:
for example:
user1, win:remote, wineventlog:security, 100
user1, win:auth, winreventlog:security, 80

Ideally, I would like a table that reads:
user1, win:remote; win:auth, wineventlog:security, 180

Is there a way to concatenate? or combine these fields for each top user?

whrg · ‎12-13-2018

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20

View solution in original post

whrg · ‎12-13-2018

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20

How do you group by field in the stats table?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!

Are you a member of the Splunk Community?

How do you group by field in the stats table?

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Splunk App Dev Community Updates – What’s New and What’s Next

The Latest Cisco Integrations With Splunk Platform!