Splunk Search

How do you group by field in the stats table?

richardphung
Communicator

I am attempting to get the top values from a datamodel and output a table.

The query that I am using:

| from datamodel:"Authentication"."Failed_Authentication" 
| search app!=myapp 
| top limit=20 user app sourcetype 
| table user app sourcetype count

This gets me the data that I am looking for.. however, if a user fails to authenticate to multiple applications, for example: win:remote & win:auth, they will have two entries in the table:
for example:
user1, win:remote, wineventlog:security, 100
user1, win:auth, winreventlog:security, 80

Ideally, I would like a table that reads:
user1, win:remote; win:auth, wineventlog:security, 180

Is there a way to concatenate? or combine these fields for each top user?

Tags (3)
0 Karma
1 Solution

whrg
Motivator

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20

View solution in original post

0 Karma

whrg
Motivator

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...