Splunk Search

How to count valuse and display againts another field?

Matrix20085
Explorer

Sorry, I am unsure how to describe what I am looking for using Splunk terminology, and I am sure that is why I am having trouble finding the answer.

What I am looking for:

User    |  Status   | coun
---------------------------------
Mike   |   True       |    2
            |   False      |    1
--------------------------------
Loagn |  True      |    4
             |   False    |    2

 

So far my search looks like this:

index=logs EventType="logon"
| stats values(Status) as Status count by User



It is almost there, but in the count column, it combines the count for True and False and only gives a single number.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Each row is an event with various fields - if you want to combine the results events by User, try something like this:

index=logs EventType="logon"
| stats count by User Status
| stats list(Status) as Status list(count) as count by User

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index=logs EventType="logon"
| stats count by User Status
0 Karma

Matrix20085
Explorer

This is where I started, but it lists the User for each Status they have. I was hoping to have the user listed once with all of their different statues next to them.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Each row is an event with various fields - if you want to combine the results events by User, try something like this:

index=logs EventType="logon"
| stats count by User Status
| stats list(Status) as Status list(count) as count by User

Matrix20085
Explorer

Nailed it! Thanks so much.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...