Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search check on a single day which a user had done  transactions for more than 3 different vendors?

splkjk
Explorer
‎05-20-2022 08:18 AM

Hello Splunkers, @SPL , Was working on some of the development activity, got stuck at some level.

We have a scenario where I need to check , on a single day which a user had done  transactions for more than 3 different vendors

Date User ID Vendor Transactions
10/5/2021 user 1

SAAS

(User1)

 $$$$$
10/5/2021 user 2

PAAS

(User1)

 $$$$$
10/7/2021 user 3 IAAS $$$$$
10/8/2021 user 4 AAA $$$$$
10/9/2021 user 5 CCCC $$$$$
10/10/2021 user 6 FFFF $$$$$
10/5/2021 user 7

XXXX

(User1)

 $$$$$
10/6/2021 user 8 ZZZZ $$$$$
10/8/2021 user 9 EEE $$$$$
10/9/2021 user 10 QQQQ $$$$$
10/10/2021 user 11 SSSS $$$$$
10/11/2021 user 12 PPPP $$$$$
10/12/2021 user 13 WWW $$$$$
Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:31 AM

Hi @splkjk,

you could use the stats command, something like this:

(supponing that you already extracted the fields I'm using, otherwise you have to extract them)

index=your_index
| stats dc(Vendor) AS dc_vendor values(Vendor) AS Vendor BY User_ID
| rename User_ID As "User ID"

if possible don't use field names with spaces, you can rename fields at the end of the search.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎05-20-2022 08:31 AM

Hi @splkjk,

you could use the stats command, something like this:

(supponing that you already extracted the fields I'm using, otherwise you have to extract them)

index=your_index
| stats dc(Vendor) AS dc_vendor values(Vendor) AS Vendor BY User_ID
| rename User_ID As "User ID"

if possible don't use field names with spaces, you can rename fields at the end of the search.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

splkjk
Explorer
‎05-23-2022 10:25 AM

Thanks @gcusello , i was able to get the distinct count for the User ID who had done transactions with different vendor on same day, but after extracting i need to get the table in below format.
When i add the below query 

"table Date User_ID Vendor Transaction" the table gets populated for only User ID and Vendor, date and Transactions are not getting populated

Regards

DateUser IDVendorTransactions
10/5/2021user 1SAAS(User 1)$$$$$
10/5/2021PAAS(User1) 
10/5/2021XXXX (User1)$$$$$
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-23-2022 11:24 PM

Hi @splkjk,

you have to add some option to the stats command, something like this:

index=your_index
| stats 
     dc(Vendor) AS dc_vendor 
     values(Vendor) AS Vendor 
     earliest(_time) AS Date
     values(Transaction) AS Transaction
     BY User_ID
| rename User_ID As "User ID"
| eval Date=strftime(Date,"%Y-%m-%d %H:%M:%S")
| table Date User_ID Vendor Transaction

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...