Solved: How to create a table that indicates a column with...

greentomatoes · ‎04-10-2023

Hi everyone,

I am currently trying to create a table that shows the count of activity by user as well as the occurrence in which sourcetype:

What I am trying to achieve

Users	Sourcetype	Count
User 1	source 1	20
User 2	source 2	30

Here is my base search at the moment:

index=index* "user"="user1*" OR "user"="user2*" | stats count by user | eval input_type="Count"| xyseries input_type count

Right now, it does show me the count of the user activity but I'm not sure how to add the sourcetype to the search to create a table view.

richgalloway · ‎04-10-2023

Just add "sourcetype" to the stats command.

index=index* "user"="user1*" OR "user"="user2*" 
| stats count by user, sourcetype

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-10-2023

Just add "sourcetype" to the stats command.

index=index* "user"="user1*" OR "user"="user2*" 
| stats count by user, sourcetype

---
If this reply helps you, Karma would be appreciated.

greentomatoes · ‎04-10-2023

Thank you! I didn't realize how simple the solution was haha

How to create a table that indicates a column with the sourcetype?

chart

count

field extraction

stats

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!