Splunk Search

How do you group by field in the stats table?

richardphung
Communicator

I am attempting to get the top values from a datamodel and output a table.

The query that I am using:

| from datamodel:"Authentication"."Failed_Authentication" 
| search app!=myapp 
| top limit=20 user app sourcetype 
| table user app sourcetype count

This gets me the data that I am looking for.. however, if a user fails to authenticate to multiple applications, for example: win:remote & win:auth, they will have two entries in the table:
for example:
user1, win:remote, wineventlog:security, 100
user1, win:auth, winreventlog:security, 80

Ideally, I would like a table that reads:
user1, win:remote; win:auth, wineventlog:security, 180

Is there a way to concatenate? or combine these fields for each top user?

Tags (3)
0 Karma
1 Solution

whrg
Motivator

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20

View solution in original post

0 Karma

whrg
Motivator

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20
0 Karma
Get Updates on the Splunk Community!

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...