Solved: How to add contributing fields to unique values?

girtsgr · ‎05-19-2022

Hi, I seem to be stuck with something pretty trivial. I have events with users and corresponding hostnames, eg:

User	Hostname
user1	hostA
user1	hostB
user2	hostA
user2	hostC
user3	hostD

I want to count unique user-hostname values and show the contributing hostnames for users that have used more that 1 hostname like this:

User	Hostnames used
user1	hostA hostB
user2	hostA hostC

This seems to take care of the first part of the task:

| stats dc(Hostname) as uh by User
| search uh > 1

How can I add the contributing Hostnames?

Formatting is not so important - it may be one field with all the hostnames like in the example above, or multiple fields, or one field together with the User field.

Thank you.

ITWhisperer · ‎05-19-2022

| stats values(hostname) as hostnames by User
| eval uh=mvcount(hostnames)
| where uh > 1

View solution in original post

ITWhisperer · ‎05-19-2022

| stats values(hostname) as hostnames by User
| eval uh=mvcount(hostnames)
| where uh > 1

girtsgr · ‎05-20-2022

Thank you! 🙂

How to add contributing fields to unique values?

count

stats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!