Solved: Re: How do you group by field in the stats table?

richardphung · ‎12-13-2018

I am attempting to get the top values from a datamodel and output a table.

The query that I am using:

| from datamodel:"Authentication"."Failed_Authentication" 
| search app!=myapp 
| top limit=20 user app sourcetype 
| table user app sourcetype count

This gets me the data that I am looking for.. however, if a user fails to authenticate to multiple applications, for example: win:remote & win:auth, they will have two entries in the table:
for example:
user1, win:remote, wineventlog:security, 100
user1, win:auth, winreventlog:security, 80

Ideally, I would like a table that reads:
user1, win:remote; win:auth, wineventlog:security, 180

Is there a way to concatenate? or combine these fields for each top user?

whrg · ‎12-13-2018

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20

View solution in original post

whrg · ‎12-13-2018

Hello @richardphung,

Try out this search:

 | from datamodel:"Authentication"."Failed_Authentication" 
 | search app!=myapp 
 | stats count as total_count dc(user) as user_count values(user) as users by app,sourcetype
 | eval users=mvjoin(users,", ")
 | sort -total_count | head 20

How do you group by field in the stats table?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

How do you group by field in the stats table?

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!